Legal
Privacy Policy
Effective date: 9 May 2026 · Version 1.0
This Privacy Policy explains how Transingenium Innovations Limited ("we", "us", "Owoche") collects, uses, shares, and protects information about you when you use the Owoche mobile app, our website at owoche.online, and any related services (collectively, the "Services").
We are a Nigerian financial services provider. We comply with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), with applicable Central Bank of Nigeria (CBN) guidelines, and with relevant App Store and Google Play data-handling rules. We are the data controller for the personal information described below; you can reach our Data Protection Officer at dpo@owoche.online.
1. Information we collect
1.1 Information you give us directly
- Identity & contact: full name, date of birth, gender, phone number, email address, profile photo (optional).
- KYC verification data: Bank Verification Number (BVN), National Identification Number (NIN), and (where required) a government-issued ID document and selfie. We use a third-party verification provider (Dojah) to validate this against authoritative Nigerian registries.
- Financial data: bank account details for transfers, recipient phone numbers for airtime/data purchases, biller account numbers for utilities, transaction PIN, login PIN. PINs are stored only as one-way bcrypt hashes; we never see or store the cleartext.
- Communications: messages you send to our support team via in-app chat, email, or WhatsApp, including any attachments you choose to include.
- Optional preferences: language, dark-mode preference, email-receipts opt-in, panic-PIN configuration.
1.2 Information we collect automatically
- Device & technical data: device model, operating system version, app version, IP address, time-zone, locale, language, and a hashed device fingerprint we use to detect new-device sign-ins.
- Usage data: screens viewed, features used, transactions initiated, and anonymized event timestamps. We do not associate this with your name or BVN/NIN unless we have a specific need (e.g. fraud investigation).
- Crash & performance: stack traces and device state at the moment of a crash, captured via Firebase Crashlytics. PII is filtered out before transmission.
- Push notification tokens: issued by Apple Push Notification service or Firebase Cloud Messaging, used solely to deliver transaction and account alerts.
1.3 Information from third parties
- Payment confirmations and bank-transfer receipts from our payment processors (Paystack, Flutterwave).
- Bill-payment outcomes from utility aggregators (VTpass, Interswitch).
- Identity-verification results from Dojah (BVN, NIN, and ID-document checks).
- Fraud signals from device-integrity providers (e.g. tamper-detection on rooted/jailbroken devices).
2. How we use your information
- To provide the core wallet, transfer, bill-payment, QR pay, SmartAza, and rewards features you request.
- To verify your identity in line with Nigeria's Anti-Money-Laundering (AML) and Know-Your-Customer (KYC) regulations.
- To authenticate sign-ins, detect new devices, and block fraudulent activity (including panic-PIN duress detection and rate-limited PIN-attempt lockouts).
- To send you transactional alerts, OTP codes, security notices, and (with your opt-in) email receipts.
- To respond to your support requests and improve the quality of our service.
- To meet our legal obligations — including transaction reporting, AML/CFT screening, and cooperation with lawful requests from regulators or law-enforcement.
- To diagnose crashes and improve app stability via aggregated, de-identified telemetry.
3. Legal basis for processing
We process your personal data under one or more of the following legal bases recognized by the NDPA and NDPR:
- Performance of a contract — to deliver the wallet, transfer, and payment services you have signed up for.
- Legal obligation — to comply with CBN, NFIU, and AML reporting requirements.
- Legitimate interest — to prevent fraud, secure accounts, and run abuse detection that protects our users and our service.
- Consent — for optional features like push notifications, marketing emails, and email receipts. You can withdraw consent at any time from in-app settings.
4. Sharing with third parties
We share information only with the parties listed below, and only to the extent needed to run the Service. We do not sell or rent your data to anyone.
| Recipient | Purpose | Data shared |
|---|---|---|
| Paystack, Flutterwave | Process bank transfers, fund wallet, settle bill payments | Name, account number, amount, transaction reference |
| VTpass, Interswitch | Deliver airtime, data, electricity tokens, and cable subscriptions | Recipient phone, biller account number, amount |
| Dojah | Verify BVN, NIN, and ID documents | BVN, NIN, name, date of birth, ID image |
| Termii | Deliver SMS one-time codes | Phone number, OTP message body |
| Resend (Twilio) | Deliver transactional and verification emails | Email address, message body |
| Firebase (Google) | Push notifications, crash reporting, analytics | Device token, anonymized event data, crash dumps |
| tawk.to | In-app live chat support | Display name, message contents |
| Cloudflare | DDoS protection and content delivery for our website and API | IP address, request metadata |
| Regulators & law enforcement | Where required by lawful order or by AML/CFT obligations | As specified in the order |
5. International transfers
Some of our processors (e.g. Firebase, Resend, Cloudflare) operate servers outside Nigeria. When we transfer your data internationally, we rely on the recipient's adherence to comparable data protection standards and on their own NDPR-aligned safeguards, in line with Section 41 of the NDPA.
6. How long we keep your data
- Account & KYC records: retained for the lifetime of your account, plus at least 5 years after closure, as required by Nigerian AML regulations.
- Transaction history: retained for at least 5 years from the date of the transaction.
- Support conversations: retained for up to 24 months unless legal hold requires longer.
- Anonymized analytics: retained indefinitely; cannot be linked back to you personally.
- Push tokens, device fingerprints: deleted within 30 days of account closure.
7. Your rights
Under the NDPA / NDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion ("right to be forgotten") — subject to our legal obligation to retain AML/transaction records.
- Object to processing for direct marketing.
- Withdraw consent for optional processing at any time.
- Receive your data in a portable, machine-readable format.
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC).
To exercise any of these rights, email dpo@owoche.online or use the in-app "Delete my account" / "Export my data" controls. We respond within 30 days.
8. Security
We protect your information using:
- TLS encryption for every API request and SSL public-key pinning in the mobile app to defeat certificate-substitution attacks.
- Bcrypt-hashed PINs and one-way storage; nothing in our systems can recover your cleartext PIN.
- Server-side rate limiting, five-strike lockouts on PIN attempts, and panic-PIN duress detection.
- Role-based access controls inside our admin tooling, with audit trails on every privileged action.
- Secure off-site daily backups of the user and transaction database.
No system is perfectly secure. If you believe your account has been compromised, contact support@owoche.online immediately.
9. Children
Owoche is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will remove it.
10. Cookies & similar technologies
The Owoche mobile app does not use traditional web cookies. The marketing website (owoche.online) uses minimal first-party analytics. We do not use third-party advertising trackers anywhere in the Service.
11. Changes to this policy
We may update this policy as the Service evolves or as the law requires. When we make material changes, we will notify you in-app and update the "Effective date" at the top of this page. Previous versions are available on request.
12. Contact
Questions, concerns, or requests about your data:
- Email: dpo@owoche.online (Data Protection Officer)
- Support: support@owoche.online
- WhatsApp: +234 907 709 6560
- Postal: Transingenium Innovations Limited, Abuja, Nigeria
Owoche is a service of Transingenium Innovations Limited, a company duly registered in Nigeria.