Privacy Policy

Last Updated: March 2026

1. Introduction

NjangiPay is committed to protecting the privacy and security of your personal data. This policy outlines how we collect, use, and safeguard information when you use our mobile application and services to manage Njangis, Sou-Sous, and ROSCAs.

2. Information We Collect

To comply with Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) regulations and Anti-Money Laundering (AML) laws, we collect:

• Identity Data: Full name, date of birth, residential address, and government-issued ID via our verification partners (e.g., Plaid Identity Verification, Persona).
• Contact Data: Phone number (verified via OTP) and email address.
• Financial Data: Bank account details linked securely through Plaid for processing via Nuvei or Interac. We never store your banking login credentials.
• Biometric Data: We utilize on-device authentication (FaceID/TouchID via local_auth) to authorize transactions. Biometric data is stored securely in your device's Secure Enclave/Keystore and is never transmitted to our backend infrastructure.

3. How We Use Your Information

Your data is used strictly to provide the NjangiPay service:

• To process contributions, payouts, and automated Interac EFTs securely through our payment gateways (Nuvei, Stripe).
• To maintain a transparent and auditable ledger (transactions and rotation schedules) for your savings group.
• To report to credit bureaus (e.g., Equifax) for credit-building programs (if you explicitly opt-in).
• To prevent fraud, verify identity, and comply with KYC (Know Your Customer) and FINTRAC MSB (Money Services Business) obligations.

4. Data Security & Storage

We employ enterprise-grade security protocols. All data in transit is encrypted via TLS 1.3, and data at rest is encrypted in our PostgreSQL databases hosted on secure Amazon Web Services (AWS) infrastructure. Sensitive documents like KYC IDs are stored in restricted AWS S3 buckets. JSON Web Tokens (JWTs) are used for secure session management.

5. Third-Party Sharing

We do not sell your personal data. We only share data with essential infrastructure partners (e.g., AWS, Plaid, Nuvei, Twilio) strictly for executing the services you request, or when legally compelled by regulatory authorities such as FINTRAC.

6. Your Rights

Under applicable privacy laws (including PIPEDA), you have the right to access, correct, or request deletion of your personal data. However, due to FINTRAC record-keeping requirements, certain financial transaction records and KYC data must be retained for a minimum of 7 years, even after account deletion.