Privacy
Policy.

usezwap Ltd ("ZWAP," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy ("Policy") explains how we collect, use, store, share, and protect your personal information when you use our website at usezwap.com (the "Website"), our mobile applications (the "App"), and our crypto and fiat payments platform (collectively, the "Service").

This Policy applies to all users of the Service, including registered account holders, visitors to our Website, and individuals who interact with us through any other channel.

By accessing or using the Service, you consent to the practices described in this Policy. If you do not agree with this Policy, please do not use the Service.

This Policy should be read alongside our Terms of Use and AML Policy, which contain additional information about how we handle your data in the context of our services.

We collect information that you provide directly to us, information that is collected automatically when you use the Service, and information that we receive from third parties.

A. Information You Provide Directly

• Account Registration: Full legal name, email address, phone number, and password.
• Identity Verification (KYC): Bank Verification Number (BVN), National Identification Number (NIN), clear photograph of a government-issued identification document (passport, national ID card, voter's card, or driver's license), and a live selfie photograph for facial matching.
• Banking Information: Bank account details (account number, bank name) provided for deposit and withdrawal purposes. We do not store your internet banking credentials or PIN.
• Transaction Data: Details of transactions you initiate through the Service, including amounts, currencies, wallet addresses, bank accounts, timestamps, and transaction statuses.
• Card Information: Shipping address for physical card delivery. We do not store your full card number — Visa card data is handled by our licensed card issuer partner.
• Communications: Content of messages you send to our support team, feedback forms, and any other communications with us.
• Job Applications: If you apply for a position through our careers page, we collect your resume/CV, cover letter, portfolio URL, LinkedIn profile, and any other information you provide in your application.

B. Information Collected Automatically

• Device Information: Device type, operating system, browser type and version, screen resolution, and language preferences.
• Log Data: IP address, access times, pages viewed, features used, click patterns, scroll depth, and referring URL.
• Location Data: Approximate location derived from your IP address. We do not access your device's GPS location without your explicit permission.
• Cookies & Similar Technologies: Session cookies, authentication tokens, and analytics cookies. See Section 5 for full details.
• Performance Data: Page load times, error logs, crash reports, and other technical data that help us diagnose and fix issues.

C. Information Received from Third Parties

• BVN/NIN Verification: When you provide your BVN or NIN, we verify your identity through authorized Nigerian government databases (NIBSS, NIMC). These systems return verification results but do not share your underlying data with us beyond what is necessary for the verification.
• Blockchain Data: Public blockchain transaction data associated with your deposit addresses, including transaction hashes, amounts, timestamps, and wallet addresses. This data is inherently public on the blockchain.
• Banking Partners: Transaction confirmation data from our licensed banking partners when processing deposits and withdrawals.
• Card Issuer: Card transaction data (merchant name, amount, location, date) from our Visa card issuer partner for the purpose of displaying your card transaction history.
• Identity Verification Services: Results from third-party KYC vendors who assist with document verification, facial matching, and sanctions screening.

D. Sensitive Personal Data

In the course of providing the Service, we process the following categories of sensitive personal data as defined by the Nigeria Data Protection Act (NDPA) 2023:

We use your personal information for the following purposes:

A. To Provide and Operate the Service

• Creating and managing your ZWAP account.
• Verifying your identity in compliance with KYC/AML regulations.
• Processing crypto deposits, conversions, and naira credits.
• Processing cryptocurrency purchases and transfers to external wallets.
• Processing bank deposits and withdrawals.
• Managing your Savings Vault (deposits, yield calculations, withdrawals).
• Issuing and managing ZWAP Visa debit cards.
• Facilitating ZWAP ID (ZID) transfers between users.
• Displaying transaction history and account balances.
• Providing customer support.

B. For Security and Fraud Prevention

• Real-time transaction monitoring and anomaly detection.
• Screening against sanctions lists, PEP databases, and adverse media.
• Verifying transactions that trigger security alerts.
• Preventing unauthorized access to accounts.
• Investigating suspected fraud, money laundering, or other illegal activity.
• Implementing device fingerprinting to detect account compromise.

C. For Legal and Regulatory Compliance

• Complying with the Nigeria Data Protection Act (NDPA) 2023.
• Complying with Central Bank of Nigeria (CBN) regulations on crypto assets.
• Complying with Securities and Exchange Commission (SEC) requirements.
• Filing Suspicious Transaction Reports (STRs) with the Nigeria Financial Intelligence Unit (NFIU).
• Responding to lawful requests from regulators, law enforcement agencies, and courts.
• Maintaining records as required by applicable law (minimum 5 years for financial records).

D. For Product Improvement

• Analyzing usage patterns to improve the user experience.
• Identifying bugs, errors, and performance issues.
• Conducting A/B testing on new features.
• Aggregating anonymized statistics about platform usage (e.g., "60% of users deposit USDT via TRC-20").

E. For Communications

• Sending transaction confirmations and account notifications.
• Sending security alerts (e.g., password change, new device login).
• Sending product updates and feature announcements (with your consent).
• Responding to your inquiries and support requests.

We process your personal data only when we have a lawful basis to do so. Under the Nigeria Data Protection Act (NDPA) 2023, our legal bases include:

When we rely on consent, you may withdraw it at any time by contacting us at privacy@usezwap.com or through your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

We do not sell your personal data to any third party. We share your information only in the circumstances described below.

A. Licensed Financial Partners

We share necessary information with licensed Nigerian banks and financial institutions to process deposits, withdrawals, and card transactions. This includes your name, account details, and transaction instructions. These partners are bound by confidentiality obligations under their licensing terms and applicable banking regulations.

B. Card Issuer Partner

We share your name, delivery address, and naira balance status with our licensed Visa card issuer partner for the purpose of issuing and managing your ZWAP debit card. Card transaction data is shared back to us for display in your transaction history.

C. KYC and Compliance Vendors

We share your identity documents (government ID, selfie) with vetted third-party KYC vendors who perform document verification, facial matching, and liveness checks on our behalf. These vendors are contractually obligated to delete your documents after verification and are prohibited from using them for any other purpose.

D. Government and Regulatory Authorities

• NIBSS: BVN and NIN verification requests.
• NFIU: Suspicious Transaction Reports (STRs) when required by law.
• CBN, SEC, and other regulators: Compliance reports, audit responses, and regulatory filings.
• Law enforcement: In response to a court order, warrant, or other lawful legal process.

E. Service Providers

• Cloud infrastructure: Secure data hosting and storage.
• Analytics: Anonymized usage analytics (we strip personal identifiers before sharing).
• Communication: Email delivery services for transaction notifications.
• Security: Fraud detection, DDoS protection, and penetration testing services.

All service providers are contractually bound to process data only as instructed by us, maintain appropriate security measures, and not use the data for their own purposes.

F. Counterparties on the ZWAP Platform

When you send or receive funds to/from another ZWAP user, they see your ZWAP ID (ZID) — not your legal name, phone number, or other personal information. See our Terms of Use, Section 11, for full details on ZID privacy.

G. Corporate Transactions

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email at least 30 days before any such transfer and provide you with the opportunity to exercise your data rights.

Data Storage Location

Your data is stored on secure servers located in data centers operated by reputable cloud infrastructure providers. Primary data storage is within jurisdictions that provide adequate data protection. In some cases, data may be replicated across geographic regions for redundancy and disaster recovery.

Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data:

• Encryption at Rest: All personal data stored in our databases is encrypted using AES-256 or equivalent encryption standards.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 or higher.
• Access Controls: Role-based access control (RBAC) ensures that only authorized personnel can access personal data, and only to the minimum extent necessary for their role.
• Authentication: Multi-factor authentication (MFA) is required for all staff accessing production systems.
• Audit Logging: All access to personal data is logged and regularly reviewed.
• Vulnerability Management: Regular penetration testing, automated vulnerability scanning, and a bug bounty program.
• Infrastructure Security: Web application firewalls (WAF), DDoS protection, intrusion detection/prevention systems (IDS/IPS), and network segmentation.
• Employee Training: Mandatory security awareness training for all staff.
• Incident Response: Documented incident response plan with defined roles, escalation procedures, and notification timelines.

What We Do Not Store

• Your private keys or seed phrases — we never ask for them and have no mechanism to access them.
• Your full Visa card number — card data is tokenized by our card issuer partner.
• Your internet banking password or PIN — we never ask for these.
• Blockchain private keys for external wallets you send crypto to.

No system is perfectly secure. While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security. In the event of a data breach, we will follow our incident response plan and notify affected individuals and regulators as required by law.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as described below:

When retention periods expire, personal data is securely deleted or anonymized in accordance with our data disposal procedures. We may retain certain data in anonymized or aggregated form which cannot be attributed to any individual.

We use cookies and similar tracking technologies for the purposes described below. A cookie is a small text file stored on your device when you visit our Website.

A. Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled:

• Session Cookie: Maintains your logged-in state during a browser session. Expires when you close your browser.
• Authentication Token: Secure token used by our App to maintain your login without requiring repeated password entry.
• CSRF Protection: Prevents cross-site request forgery attacks on forms.
• Server Load Balancing: Routes your requests to the appropriate server for optimal performance.

B. Analytics Cookies (Optional)

These cookies help us understand how visitors interact with our Website by collecting anonymized information. We use this data to improve the user experience.

• _zwap_sess: Session identifier for analytics. Anonymized before processing.
• _zwap_id: Anonymous visitor identifier to distinguish unique users. Does not contain personal data.

You can opt out of analytics cookies through your browser settings or by using the opt-out mechanism below.

C. How to Manage Cookies

• Chrome: Settings → Privacy and Security → Cookies and other site data.
• Safari: Preferences → Privacy → Manage Website Data.
• Firefox: Settings → Privacy & Security → Cookies and Site Data.
• Edge: Settings → Cookies and site permissions → Manage and delete cookies.

Disabling cookies may affect certain features of the Service. Strictly necessary cookies cannot be disabled as the Service will not function without them.

D. We Do NOT Use:

• Third-party advertising cookies.
• Cross-site tracking pixels from ad networks.
• Browser fingerprinting for advertising purposes.
• Selling data to data brokers or advertisers.

ZWAP ID (ZID) is a privacy feature that replaces your legal name with an alphanumeric alias (e.g., ZID-4X9RK2) on transaction records visible to other ZWAP users.

What ZID hides:

• Your legal name is not shown to counterparties when sending or receiving ZWAP-to-ZWAP payments.
• Your phone number and email are never displayed to other users.
• Your bank account details are never shared with counterparties.

What ZID does NOT hide:

• ZWAP maintains your full KYC records (legal name, BVN, NIN, ID documents) as required by Nigerian law.
• In response to a lawful request from regulators, law enforcement, or courts, we will disclose your identity and transaction history.
• ZID prevents casual privacy violations (landlord, vendor, acquaintance seeing your name) — it does not create anonymity from the state.

Technical implementation:

• ZID is generated randomly at account creation and is not derived from your personal data.
• ZID is unique across all ZWAP accounts and cannot be changed.
• The mapping between your ZID and your account is stored in our encrypted internal database and is never exposed via our API or user-facing interfaces.
• You can share your ZID or associated QR code to receive payments without disclosing personal information.

Cryptocurrency transactions are recorded on public blockchains. This has important privacy implications that you should understand:

What is publicly visible on the blockchain:

• Your ZWAP deposit wallet address (a string of alphanumeric characters starting with "T", "0x", etc.).
• The destination wallet address if you purchase crypto through ZWAP.
• Transaction amounts, timestamps, and network confirmation details.

What is NOT publicly visible:

• Your name, email, phone number, or any personal identifier is never included in on-chain transactions.
• There is no way for a third party to link your ZWAP deposit address to your ZWAP account without access to our internal systems.
• We generate unique deposit addresses per user and do not reuse addresses across accounts.

Immutability:

Once a transaction is confirmed on the blockchain, it cannot be altered or deleted — by us, by you, or by anyone. This is a fundamental property of blockchain technology. If you send crypto to the wrong address, the transaction is permanent. This is why we display clear warnings before every transaction and emphasize verifying the destination address and network.

Analytics services:

Blockchain analytics companies (e.g., Chainalysis, TRM Labs) may analyze public blockchain data and potentially associate deposit addresses with our service. This is beyond our control as we do not operate the blockchain networks. We do not share your personal identity with these services.

Under the Nigeria Data Protection Act (NDPA) 2023 and other applicable privacy laws, you have the following rights regarding your personal data:

A. Right of Access

You have the right to request a copy of the personal data we hold about you. To make a request, contact privacy@usezwap.com. We will respond within 30 days. For security reasons, we may verify your identity before fulfilling the request.

B. Right to Rectification

You have the right to correct inaccurate or incomplete personal data. You can update most information directly in your account settings. For changes to KYC data (name, ID documents), contact our support team as these require re-verification.

C. Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data, subject to certain exceptions:

• We may retain data required by law (e.g., AML records must be kept for 5 years after the business relationship ends).
• We may retain anonymized data that cannot identify you.
• We may retain data necessary for established, exercised, or defended legal claims.
• Transaction records on public blockchains cannot be deleted by us (see Section 10).

To request account deletion, contact privacy@usezwap.com. Please note that account deletion is permanent and irreversible — you will lose access to your balance and all associated data. We will facilitate the withdrawal of any remaining funds before deletion, except where prohibited by law (e.g., active compliance hold).

D. Right to Restrict Processing

You have the right to request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interest.

E. Right to Data Portability

You have the right to request your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV). Contact privacy@usezwap.com to make this request.

F. Right to Object

You have the right to object to processing of your personal data based on legitimate interest or for direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

G. Right to Withdraw Consent

Where we rely on consent as our legal basis, you may withdraw consent at any time through your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

H. Right to Lodge a Complaint

You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe our processing of your personal data violates the NDPA. You may also contact us first, and we will endeavor to resolve your complaint within 30 days.

How to Exercise Your Rights

Your personal data may be transferred to and processed in countries other than Nigeria. This occurs when:

• Our cloud infrastructure providers store data in data centers located outside Nigeria.
• Our KYC verification vendors process your identity documents on servers outside Nigeria.
• Our card issuer partner processes card-related data in their jurisdiction.
• You access the Service from a country other than Nigeria.

Safeguards for International Transfers:

• We only transfer data to countries or territories that provide an adequate level of data protection.
• Where adequacy is not formally determined, we implement appropriate safeguards including: standard contractual clauses, binding corporate rules, encryption in transit and at rest, access restrictions, and audit rights.
• All third-party data processors are contractually bound to provide at least the same level of protection as required by the NDPA.
• We maintain a register of all international data transfers, including the categories of data transferred, the recipient, the purpose, and the safeguards applied.

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we discover that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that data from our systems. If you believe that a child under 18 has provided us with personal information, please contact privacy@usezwap.com.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the NDPC within 72 hours of becoming aware of the breach, as required by the NDPA.
• Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
• Investigate the breach to determine its scope, cause, and impact.
• Remediate the vulnerability that caused the breach.
• Document the breach, our response, and the lessons learned.

The notification to you will include, where feasible:

• A description of the nature of the breach in plain language.
• The name and contact details of our Data Protection Officer.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach.
• Recommendations for steps you can take to mitigate potential harm.

We may delay notification if doing so would impede a law enforcement investigation, in which case we will document the reason for the delay.

The Service may contain links to third-party websites, applications, or services (e.g., blockchain explorers, partner exchanges, regulatory websites) that are not operated or controlled by us.

This Privacy Policy does not apply to third-party websites or services. We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policies of any third-party service you interact with.

The inclusion of a link on our Service does not imply our endorsement of the linked site or service.

We may update this Privacy Policy from time to time. Changes will be effective upon the earlier of:

• The "Last Updated" date at the top of this page.
• Notice via email (for material changes affecting your rights).
• A banner on our Website or in-app notification.

Material changes (e.g., new data categories, new purposes of processing, changes to your rights) will be communicated at least 14 days before they take effect.

Non-material changes (e.g., clarifying language, updating contact details) may be made without advance notice.

Your continued use of the Service after changes are posted constitutes your acceptance of the revised Policy. We encourage you to review this page periodically.