Privacy Policy

At FinXclusive, operated by Netgrawl Limited ("we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

This Privacy Policy is governed by and compliant with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and other applicable data protection laws. Netgrawl Limited, as the Data Controller, is registered with and subject to the oversight of the Nigeria Data Protection Commission (NDPC).

By using FinXclusive, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

In accordance with the NDPR and NDPA, we process your personal data only when we have a lawful basis to do so. The legal bases we rely on include:

Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting our Data Protection Officer.

We collect information that you provide directly to us, including:

• Personal identification information (name, email address, phone number)
• Financial information (transaction history, income, expenses, budgets, savings goals, wallet balances)
• Business information (company name, business type, tax identification - for Pro/Enterprise users)
• Account credentials (username, password - stored securely using industry-standard hashing)
• Profile information (profile photo, preferences, currency settings)
• Task and reminder data (for personal productivity features)

We also automatically collect certain information when you use our services, including:

• Device information (device model, operating system, app version, device ID)
• Network information (IP address, browser type, connection type)
• Usage patterns (features used, session duration, interaction data)
• Error logs and crash reports (to improve app stability)

Note: We do not collect bank account numbers or routing information. We only collect transaction data that you manually enter or import into the application.

In accordance with NDPR Article 2.3, where we rely on consent as the legal basis for processing your personal data, we ensure that your consent is:

• Freely given: You are not coerced or pressured into providing consent
• Specific: Consent is obtained for clearly defined purposes
• Informed: You are provided with clear information about what you are consenting to before giving consent
• Unambiguous: Consent is obtained through a clear affirmative action (e.g., ticking a checkbox, clicking a button)

How we obtain consent:

• During account registration, you are presented with this Privacy Policy and must actively agree before proceeding
• Marketing communications require a separate opt-in via checkbox during registration or in your account settings
• Push notifications require explicit device-level permission through your operating system
• Cookies consent is obtained via a cookie banner on first visit to our website

Withdrawing consent: You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. You can withdraw consent by:

• Updating your preferences in your account settings
• Clicking "unsubscribe" in any marketing email
• Disabling push notifications in your device settings
• Contacting our Data Protection Officer at dpo@netgrawl.com

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and manage your account
• Send you important updates and notifications about your account and our services
• Respond to your inquiries and provide customer support
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations and regulatory requirements
• Analyze usage patterns to enhance user experience and develop new features
• Send you marketing communications (only with your consent, and you can opt-out at any time)

Marketing Communications: We will only send you marketing emails, newsletters, or promotional materials if you have opted in to receive them. You can opt-out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your preferences in your account settings
• Contacting us at support@finxclusive.com

Note that even if you opt-out of marketing communications, we may still send you important transactional and account-related messages.

We implement industry-standard security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction.

Our security measures include:

• Encryption: Sensitive financial data is encrypted using AES-256 encryption. Encryption keys are stored in platform secure storage (iOS Keychain, Android Keystore).
• Secure Communication: All data transmitted between your device and our servers uses HTTPS (TLS 1.3) encryption.
• Authentication: We use JWT (JSON Web Tokens) and OAuth 2.0 for secure authentication. Passwords are hashed using bcrypt before storage.
• Offline Security: Data stored locally on your device is encrypted at rest using application-level encryption.
• Access Controls: Role-based access control ensures that only authorized personnel can access user data.
• Regular Security Audits: We conduct regular security assessments and vulnerability testing.
• Data Backup: Your data is securely backed up with encryption in place.
• Data Protection Impact Assessments (DPIAs): We conduct DPIAs for high-risk processing activities, including the processing of financial data, in accordance with NDPR Article 2.5.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security measures.

If you suspect any unauthorized access to your account, please contact us immediately at support@finxclusive.com.

We use cookies and similar tracking technologies to track activity on our platform and store certain information. Cookies are files with small amounts of data that are sent to your browser and stored on your device.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our service.

We use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device until deleted or expired).

In accordance with NDPR Article 2.1(d), we retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or as required by law. Our specific retention periods are:

When we no longer need your personal information, we will securely delete or anonymize it in accordance with our data retention policies and applicable laws. Anonymized data that cannot be used to identify you may be retained indefinitely for statistical and analytical purposes.

In accordance with NDPR Articles 2.11 and 2.12, we are transparent about where your personal data is stored and processed.

Primary data storage: Your personal data is stored on servers operated by Hetzner Online GmbH, located in Germany (EU). Germany is subject to the EU General Data Protection Regulation (GDPR), which provides a level of data protection that is recognized as adequate.

Safeguards for cross-border transfers: Where your data is transferred outside Nigeria, we ensure that appropriate safeguards are in place, including:

• Data processing agreements with all third-party processors that include NDPR-compliant data protection clauses
• Transfers only to jurisdictions with adequate data protection standards or with appropriate contractual safeguards
• Technical measures such as encryption in transit and at rest

You may request information about the specific safeguards applied to the transfer of your data by contacting our Data Protection Officer.

We engage the following third-party data processors to help deliver our services. Each processor is bound by a data processing agreement and is contractually obligated to protect your personal data:

All third-party processors are contractually obligated to:

• Use your information only for the specific purposes we have authorized
• Implement appropriate technical and organizational security measures to protect your data
• Not disclose, sell, or share your information with unauthorized parties
• Comply with applicable data protection laws, including the NDPR
• Notify us promptly of any data breach affecting your personal data

In accordance with NDPR Article 2.10, we have established procedures to detect, investigate, and respond to personal data breaches.

Notification to the NDPC: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, providing details of the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken to address the breach.

Notification to affected users: Where a data breach is likely to result in a high risk to your rights and freedoms, we will notify you as soon as practicable via:

• Email notification to the address associated with your account
• In-app notification upon your next login
• A prominent notice on our website (for large-scale breaches)

Our breach notification will include a description of the breach, the types of data involved, the likely consequences, and the steps we are taking to address the breach and mitigate its effects. We will also provide recommendations for steps you can take to protect yourself.

In accordance with NDPR Article 2.3, we are transparent about any automated decision-making that may affect you.

Current automated processes: FinXclusive uses limited automated processing in the following areas:

• Subscription management: Automated renewal and expiration of subscriptions based on your billing cycle and payment status
• Fraud detection: Automated monitoring of account activity to detect suspicious patterns (e.g., unusual login locations, rapid transaction patterns)
• Financial insights: Automated categorization and analysis of your transactions to provide spending summaries and budget recommendations

No solely automated decisions with legal effect: We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you (such as restricting access to features or automated account termination) without human review. FinXclusive is a financial management tool and does not offer loans, process payments on behalf of users, or provide banking services.

Your rights: You have the right to request human intervention in any automated decision, to express your point of view, and to contest any automated decision. To exercise these rights, contact our Data Protection Officer at dpo@netgrawl.com.

You have the right to:

• Access and receive a copy of your personal data
• Rectify inaccurate or incomplete personal information
• Request deletion of your personal data (right to be forgotten)
• Object to processing of your personal data
• Request restriction of processing your personal data
• Data portability - receive your data in a structured format
• Withdraw consent at any time where processing is based on consent

Right to lodge a complaint: If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC). You can contact the NDPC at ndpc.gov.ng.

Response timeframe: We will respond to all data subject rights requests within 30 days of receipt, as required by the NDPR. If a request is complex or we receive a high volume of requests, we may extend this period by an additional 30 days, in which case we will notify you of the extension and the reasons for the delay.

To exercise any of these rights, please contact our Data Protection Officer at dpo@netgrawl.com.

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to delete that information from our servers.

If you are between 13 and 18 years of age, you may use our services only with the consent and supervision of a parent or guardian.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page with a new "Last updated" date
• Sending you an email notification to the address associated with your account (for significant changes)
• Displaying a prominent notice in our mobile application or website

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

If you do not agree with any changes to this Privacy Policy, you may stop using our services and request deletion of your account.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: