Where processing is based on consent, we shall obtain the requisite consent directly from you at the time of collecting your Personal Data. Where we access your Personal Data through a third-party who relies on your consent, we will ensure that the consent is freely given by you and obtained without fraud, coercion or undue influence.

By clicking on the 'Send Message' button on the ‘Contact Us' section of our website, you consent to the collection, retention, and use of your information as set forth in this Policy. If you do not agree to this Policy, you may exit and discontinue use of the website.

You can withdraw your consent at any time, but such withdrawal shall not affect the lawfulness of processing based on consent given prior to the withdrawal.

5. Data Protection Principles

We comply with the data protection principles set out below. When processing Personal Data, we ensure that:

● it is processed lawfully, fairly and in a transparent manner;

● it is collected for specified, explicit and legitimate purposes;

● it is at all times adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

● it is all times accurate and, where necessary, kept up to date and that reasonable steps are taken to ensure that Personal Data that is accurate, having regard to the purposes for which it is processed, is erased or rectified without delay;

● it is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed; and

● it is processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

6. The Personal Data We Collect

(a) We collect and process certain information about you through the services you use, such as our web application, when you onboard as a user, subscribe to our newsletter as a community member, contact us via web or through social media sites. The specific categories of Personal Data we may collect include, but are not limited to:

i) Contact Information: This includes your name, date of birth, contact address, email address, phone number, professional details, nationality, state or province, and national identity number.

ii) Communication Data: Information related to your interactions with us, including emails, support inquiries, and any feedback you provide.

iii) Financial Information: This includes your bank account information, bank account name and number, bank verification number, mobile payment number, payment method preferences, and any other information you choose to provide.

iv) Usage Data: We collect data about how you use our websites, such as device information and browsing history.

v) Device and Log Information: We gather information about the devices you use to access our services, including device type, operating system, and unique device identifiers. Additionally, we collect log information, such as IP addresses, browser type, and access times, to improve our website.

vi) Geographical Data: In some cases, we may collect information on your geographical location to provide location-specific services.

vii) Other Information: Any additional information you provide to us voluntarily or that we collect, such as your potential value to our program, public information from publicly available sources, including open postings on social media.

Biometric Authentication and Data Handling
Your biometric data (e.g., facial recognition or face scan) is used solely as a secure means of accessing your non-custodial wallet on your personal device. This biometric data is stored locally on your device and is used to generate or unlock a cryptographic key.

Bkey does not collect, store, transmit, or process your biometric data in any form. We do not retain any record, backup, or copy of your biometric information.

As a result, you are entirely responsible for managing access to your device and biometric settings. If you lose access to your device or biometric login, Bkey cannot assist with account recovery, as we have no visibility or control over your authentication method.

(b) We will always strive to minimize the collection of Personal Data to what is necessary for the intended purpose. Where applicable and required by law, we will obtain your consent before collecting certain categories of Personal Data. Our Personal Data collection is always conducted in accordance with Applicable Data Protection Laws and best practices.

(c) It is important to note that certain Personal Data may be necessary to provide you with our services, and refusal to provide such data may impact our ability to serve you effectively. We are committed to ensuring the security and confidentiality of your Personal Data, and our data processing activities are conducted in accordance with this Policy and Applicable Data Protection Laws.

Recipients of Personal Data We only share your Personal Data with third-parties when it is necessary to provide you with our services or to comply with legal or regulatory requirements. Your Personal Data may be shared with the following categories of recipients:

(a) Our affiliates and international offices

(b) Third-party partners

7. Third-Party Data Processors and Subprocessors

We only share your Personal Data with third parties where it is necessary for the performance of our services, legal compliance, or to support our legitimate business operations. These third parties may act as data processors or subprocessors on our behalf.

We take the following measures to ensure your Personal Data is handled securely and lawfully:

(a) Categories of Recipients: We may share your Personal Data with:

• Our affiliates and international offices who support service delivery;

• Payment service providers and banking infrastructure partners;

• Customer service and support vendors;

• Cloud storage and infrastructure providers;

• Analytics and advertising partners (only with your consent);

• Legal, regulatory, or tax authorities where required by law.

(b) Processor Agreements: We enter into Data Processing Agreements (DPAs) with all third-party processors. These agreements:

• Require them to act only on our documented instructions;

• Prohibit unauthorized disclosure or reuse of your Personal Data;

• Mandate appropriate technical and organizational measures to safeguard your data;

• Require notification of any data breaches within strict timeframes.

(c) Subprocessors: Where third-party processors engage subprocessors, we ensure that:

• We are informed of and approve such engagements in advance;

• Subprocessors are bound by similar data protection obligations;

• Appropriate contractual safeguards are in place (e.g., Standard Contractual Clauses).

(d) International Transfers

If any third party or subprocessor is located outside Nigeria, we ensure compliance with cross-border data transfer rules as outlined in Clause 10 of this Policy.

We continuously review and assess our third-party vendors to ensure compliance with this Policy and applicable data protection laws.

8. Rights of Data Subjects
We have processes in place to ensure that we can facilitate any request made by a Data Subject to exercise their rights under Applicable Data Protection Laws. All staff have received training and are aware of the rights of Data Subjects. Our Data Protection Officer (DPO), working with other trained staff, will ensure that all requests will be considered without undue delay and within one month of receipt as far as possible. The contact details of our DPO are indicated in Clause 15 below.

As a Data Subject, you have the following rights:

(a) Your right of access - You have the right to request for copies of your Personal Data.

(b) Your right to rectification - You have the right to ask us to rectify your Personal Data where inaccurate, incomplete or misleading.

(c) Your right to erasure - You have the right to ask us to erase your Personal Data held with us, and we will oblige your request without any undue delay, except where we have a legal obligation to continue storing your Personal Data or where any other overriding factor applies.

(d) Your right to restriction of processing - You have the right to ask us to restrict the processing of your Personal Data.

(e) Your right to object to processing - You have the right to object to our processing of your Personal Data on grounds relating to your particular situation and we will oblige your request without any undue delay, except where we have a legal obligation to continue processing your Personal Data or where any other overriding factor applies. Such legal obligation may include instances of any judicial proceedings or regulatory authority, which may require us to continue the processing of your Personal Data.

(f) Right to request the transfer of your Personal Data to yourself or a third-party - We will provide to you, or (where technically feasible) a third-party data controller you have chosen, your Personal Data in a structured, commonly used, and machine-readable format.

(g) Right to be informed of the existence of automated decision-making, including profiling, its significance and potential impact on the Data Subject and the right to object to or challenge such processing.

(h) Right to withdraw your consent - You may withdraw your consent by contacting us using the details set out in Clause 14 below. If you withdraw your consent, we may not be able to continue providing and/or performing the associated activity except where another lawful basis applies.

(i) Right to lodge a complaint with the Nigeria Data Protection Commission, where you are of the opinion that your Personal Data rights have been violated.

(j) Right to be informed of the existence of automated decision-making, including profiling, its significance and potential impact on you and the right to object to or challenge such processing.

Please note that the specific timeframe for responding to requests may vary depending on the complexity of the request. Within one month of our receipt of your request, we will either respond or notify you if we require additional time to process your request.

9. Data Retention Period

We will retain your Personal Data in accordance with Applicable Data Protection Laws, for no longer than is necessary to achieve the purpose for which it was collected. We will also retain some Personal Data after your relationship with us has ended for archiving and record purposes. The retention period will be determined by various criteria, including:

(a) the purpose for which we keep your Personal Data, e.g. to defend or take legal action;

(b) if we have a legal obligation to retain Personal Data for a defined period, e.g., some laws and regulations may mandate that some Personal Data must be retained for a specific period; and

(c) if we have to withhold destruction because of ongoing litigation, a court order or an investigation by law enforcement agencies or a regulator.

When your Personal Data is no longer necessary for the above purposes, we will securely destroy such information or de-identify it. For more information about our data retention practices, please see the “contact us” section on our website.

10. Cross-border Transfers

We operate systems that may make your Personal Data accessible to our affiliates around the world and may often transfer your Personal Data to these affiliates. Where we share or transfer your Personal Data, we will do this in accordance with Applicable Data Protection Laws and will take appropriate safeguards to ensure its protection.

These include ensuring that:

● All recipients of Personal Data transferred to other countries are subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the transferred Personal Data; or

● In the absence of the above, we only transfer Personal Data to other jurisdictions if:

(a) you have granted and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers due to the absence of adequate protections;

(b) transfer is necessary for the performance of a contract to which you are a party or to take steps at your request, prior to entering into a contract;

(c) transfer is for your sole benefit and

(i) it is not reasonably practicable to obtain your consent to that transfer, and

(ii) if it were reasonably practicable to obtain such consent, you would likely give it;

(d) transfer is necessary for important reasons of public interest;

(e) transfer is necessary for the establishment, exercise, or defence of legal claims; or

(f) transfer is necessary to protect your vital interests or of other persons, where you are physically or legally incapable of giving consent.

11. How we Secure your Personal Data

We take ultimate responsibility for safeguarding your Personal Data as processed by us and maintaining its confidentiality and integrity. We implement robust security measures and follow industry best practices to protect your information from unauthorised access, disclosure, alteration, and destruction. Our security measures include:

(a) Encryption: We use encryption techniques to protect Personal Data being processed by us, including in the course of transmitting same to third-parties. This ensures that your Personal Data remains confidential during transit.

(b) Access Control: We restrict access to your Personal Data to authorised personnel only, and access is granted on a need-to-know basis. Our employees and third-party service providers are subject to strict confidentiality obligations.

(c) Regular Security Audits: We conduct regular security audits and assessments of our systems and infrastructure to identify and address potential vulnerabilities.

(d) Data Backup: We regularly back up your data to prevent data loss and ensure business continuity in the event of unforeseen circumstances.

(e) Incident Response Plan: We have established an incident response plan to promptly address any data breaches or security incidents and to notify the appropriate authorities and affected individuals, as required by law.

(f) User Authentication: We implement strong user authentication methods to ensure that only authorised users have access to your account and Personal Data.

(g) Data Minimisation: We only collect and retain the minimum amount of Personal Data necessary for the intended purpose, reducing the risk of unauthorised access and misuse.

(h) Anonymisation and Pseudonymization: Where applicable, we use anonymisation and pseudonymization techniques to enhance data privacy and limit exposure of Personal Data.

(i) Network Security: We implement firewall protection, intrusion detection systems, and secure network configurations to safeguard against external threats and unauthorized access.

(j) Employee Training and Awareness: We conduct regular security awareness training for our employees to ensure compliance with data protection policies and best practices. While we take every reasonable precaution to protect your Personal Data, it is important to acknowledge that no system can be entirely immune to security risks. We encourage you to take steps to safeguard your Personal Data, such as using strong and unique passwords, keeping your login credentials confidential, and promptly reporting any suspicious activity. In the event of a Personal Data Breach that could result in a high risk to your rights and freedoms, we will notify you and the appropriate regulatory authorities in accordance with legal requirements. Our commitment is to continuously enhance our security practices to ensure the safety of your Personal Data.

12. Automated Decision-Making and Profiling

We may employ automated decision-making and profiling processes to provide you with our services by utilising algorithms and data analysis to assess the information you provide to us. The purpose of these automated processes is to make well-informed decisions that enhance our services and ensure they meet your specific needs. You have the right to object to the use of automated decision-making and profiling processes.

13. Third-Party Links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share Personal Data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

14. Cookies

What is a cookie? Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device, preferences and generally help to improve your online experience.

By using our website, you agree that we can place these types of cookies on your device. If you want to restrict or block our use of cookies, you should do this through the web browser settings for each browser you use and on each device you use to access the internet. Please be aware that some of areas of our website may not function properly if you restrict or block cookies. However, you can allow cookies from specific websites by making them “trusted websites” in your web browser. The “Help” function within your web browser should tell you how to make these changes.

15. Contact Us

If you have any questions, concerns, or requests regarding your Personal Data or this Policy, or you would like to exercise one of your data protection rights, please contact us via:

Address: Ferry Building, 1, Suite 201, San Francisco, CA 94111, USA

Email: ashwin@bkey.me

Phone: +233266563950

16. Right to Lodge a Complaint

If you believe that your data privacy rights have been violated, or you wish to report a complaint, you have the right to lodge a complaint with the Nigeria Data Protection Commission at:

Address: No. 12, Dr. Clement Isong Street, Asokoro, Abuja, Nigeria.

Email: info@ndpc.gov.ng

Telephone: +234 (0) 916 061 5551

17. Changes to this Policy

We reserve the right to update or modify this Policy to reflect changes in our data processing practices or legal requirements. We will notify you of any material changes by posting the updated Policy on our website or by other means of communication, where appropriate. We encourage you to review this Policy periodically to stay informed about how we are processing your Personal Data.

This is version 1.0 of the Bkey Data Protection and Privacy Policy, issued on April 10, 2025.