Ver 2.0 Last updated 3rd October, 2022.
This Privacy Notice will help you understand how we use your information and what we do with it and applies to all forms of systems, operations and processes within the Kora environment that involve the collection, storage, use, transmission and disposal of Personal Information. However, the application of this Privacy Notice does not extend to services that are not owned or controlled by Kora, including third-party websites and the services of other Kora’s merchants or partners. Kora ensures to handle personal data provided to us by our customers and merchants (“Users”) in strict compliance with applicable data privacy and protection laws.
To use our website or any of our products or services, your consent is required for the use of your data as described in this Privacy Notice.
Kora is a licensed payment services provider which facilitates online payment among individuals or companies willing to make or receive payments as the case may be (the “Service”), with the simple idea of making the flow of money and value into, within and from Africa seamless, efficient and cheap.
We are an independent contractor for all purposes, providing this website and our services on an independent service provider basis. We do not have control or assume the liability or legality for the products or services that are paid for with our service. We do not guarantee any user’s identity and cannot ensure that a buyer or seller will complete a transaction.
We may need to update, modify or amend our Privacy Notice as our technology evolves and as required by law. We reserve the right to make changes to this Privacy Notice from time to time and notify Users of material changes. The Privacy Notice will apply from the effective date provided on our website at the time of publishing the updates.
We advise that you check this page often, referring to the date of the last modification on the page. If a User objects to any of the changes to this Privacy Notice, the User must cease using this website or any of our Services. Where such User continues to use this website and/or any of our Services, it shall continue to be bound by the terms of this Privacy Notice.
Our website and Services are not directed to children under 18. We do not knowingly collect information from, or conduct business with, children under 18. If as a parent or guardian, you become aware that your child or ward has provided us with any information without your consent, please contact us through the details provided in this Privacy Notice.
A. Personal Information
As part of our operations, Kora collects and processes certain types of information (such as name, telephone numbers, email address, physical address, financial information etc.) of individuals that makes them easily identifiable. These individuals include current, past and prospective employees, merchants, suppliers/vendors, customers of merchants, Users and other individuals whom Kora communicates or deals with, jointly and/or severally (“Data Subject(s)”).
Kora is firmly committed to complying with applicable data protection laws, regulations, rules and principles to ensure security of Personal Information handled by Kora.
To gain full access to our website and services, you may need to register for a Kora account. When you register for an account, we collect Personal Information which you voluntarily provide to us. Personal Information refers to information relating to an identified person or information that can be used to identify you, (e.g. email address, bank details, name, telephone number). It may also include anonymous information that may be linked to you specifically, (e.g. IP address).
We use your Personal Information to:
- Provide you with the required services, including opening a user account, carrying out necessary KYC/CDD, monitoring ongoing compliance and reporting to regulators.
- Respond to your questions or requests.
- Improve features, website content and analyze data to develop products and services.
- Address inappropriate use of our website.
- Prevent, detect and manage risk against fraud and illegal activities using internal and third party screening tools.
- Send you marketing content, newsletters and service updates curated by Kora, however, we will provide you with an option to unsubscribe if you do not want to hear from us.
- Verify your identity and the information you provide in line with Kora’s statutory obligations using internal and third party tools.
- Maintain up-to-date records.
- Resolve disputes that may arise, including investigations by law enforcement or regulatory bodies.
- Any other lawful purpose or legal obligation which we may have in the course of providing our services.
We may retrieve additional Personal Information about you from third parties and other identification/verification services such as your financial institution and payment processor. With your consent, we may also collect additional Personal Information in other ways including emails, surveys, and other forms of communication. Once you begin using the Services through your Kora account we will keep records of your transactions and collect information about your other activities related to our services. We will not share or disclose your Personal Information with a third party without your consent except as may be required for the purpose of providing you with our services or under applicable legislations.
In providing you with the services, we may rely on third-party servers located in foreign jurisdictions from time to time, which as a result, may require the transfer or maintenance of your personally identifiable information on computers or servers in foreign jurisdictions. You consent that we may transfer your data for the purpose of providing you with the services. We will ensure to comply with the requirements of the Nigeria Data Protection Act (“NDPA”) with respect to transfer of personal data. We will endeavor to ensure that such foreign jurisdictions have data protection legislation that is no less than the existing data protection regulations in force in Nigeria and your personally identifiable information is treated in a safe and secure manner.
B. Information that we collect from website visitors
We do not collect your Personal Information when you visit our website. However, so we can monitor and improve our website and services we may collect non-personally-identifiable information. We will not share or disclose this information with third parties except as a necessary part of providing our website and services. We may use the information to target advertisements to you.
C. Information that we collect from checkout users
When you checkout with Kora on a merchant’s website, we collect and store your payment information, your email address, your mobile phone number, and billing and shipping address. To ensure your payment information is kept safe and secure on our servers, we implement access control measures (physical and virtual), security protocols, policies and standards including the use of encryption and firewall technologies in compliance with the PCI-DSS Requirements and we implement periodical security updates to ensure that our security infrastructures are in compliance with reasonable industry standards.
We may share your contact information with merchants as part of your transaction details for record purposes. We will not share this information with other third parties except as a necessary part of providing our website and services. We do not share your card information with merchants. Please review your merchant’s Privacy Notice to understand the privacy policies guiding the merchant you transact with.
Kora collects Personal Information only for identified purposes and for which consent has been obtained. Such Personal Information cannot be reused for another purpose that is incompatible with the original purpose, except consent is obtained for such purpose.
Kora limits Personal Information collection and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.
Kora will evaluate whether and to what extent the processing of Personal Information is necessary and where the purpose allows, anonymized data will be used.
Our cookies never store personal or sensitive information; they simply hold a unique random reference to you so that once you visit the site we can recognize who you are and provide certain content to you.
If your browser or browser add-on permits, you have the choice to disable cookies on our website, however this may impact your experience using our website.
Kora shall establish adequate controls in order to protect the integrity and confidentiality of Personal Information, both in digital and physical formats and to prevent Personal Information from being accidentally or deliberately compromised.
Kora is committed to managing your Personal Information in line with global industry best practices. We protect your Personal Information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration, we also use industry recommended security protocols to safeguard your Personal Information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to our building and files and only granting access to Personal Information to only employees who require it to fulfill their job responsibilities. Any Personal Information processing undertaken by an employee who has not been authorized to carry such out as part of their legitimate duties is unauthorized.
Employees may have access to Personal Information only as is appropriate for the type and scope of the task in question and are forbidden to use Personal Information for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.
Kora does not sell, trade or rent personal information to anyone. However, to enable us render our services to you on our website, we may share your information with trusted third parties, such third parties include financial institutions, payment processors, verification services, sanctions screening and identity verification services, any third party that you have directly authorized to receive your Personal Information, as well as any third party which we may be mandated to provide the data to by law or an order of a competent court. Your Personal Information may be stored in locations outside the direct control of Kora, for instance, on servers or databases co-located with hosting providers.
We may be constrained to disclose your Personal Information in compliance with applicable law or a legal obligation to which we are bound.
The use of your information by such third parties will be subject to their applicable Privacy Notice, which you should carefully review.
Third Party Processor within Nigeria
Kora may engage the services of third parties in order to process the Personal Information of Data Subjects collected by us. The processing by such third parties shall be governed by a written contract with Kora to ensure adequate protection and security measures are put in place by the third party for the protection of Personal Information in accordance with the terms of this Privacy Notice.
Transfer of Personal Information to Foreign Country
Where Personal Information is to be transferred to a country outside Nigeria, Kora shall put adequate measures in place to ensure the security of such Personal Information. In particular, we shall, among other things, confirm whether the country is on the National Data Protection Commision (“NDPC”) White List of Countries with adequate data protection laws and comply with the provisions of the NDPA in making such transfers.
Transfer of Personal Information out of Nigeria would be in accordance with the provisions of the NDPA. Kora will therefore only transfer Personal Information out of Nigeria on one of the following conditions:
- The consent of the Data Subject has been obtained;
- The transfer is necessary for the performance of a contract between Kora and the Data Subject or implementation of pre-contractual measures taken at the Data Subject’s request;
- The transfer is necessary to conclude a contract between Kora and a third party in the interest of the Data Subject;
- The transfer is necessary for reasons of public interest;
- The transfer is for the establishment, exercise or defense of legal claims;
- The transfer is necessary in order to protect the vital interests of the Data Subjects or other persons, where the Data Subject is physically or legally incapable of giving consent.
Kora will take all necessary steps to ensure that Personal Information is transmitted in a safe and secure manner. Details of the protection given when your Personal Information is transferred outside Nigeria shall be provided to you upon request.
Processing of Personal Information by Kora shall be lawful if at least one of the following applies:
- the Data Subject has given consent to the processing of his/her Personal Information for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which Kora is subject;
- processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; and
- processing is necessary for the performance of a task carried out in the public interest or in exercise of an official public mandate vested in Kora.
For the purpose of this Privacy Notice, consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, through a statement or a clear affirmative action, signify their agreement to the processing of Personal Information relating to them.
Individuals who have Personal Information held by Kora are entitled to reach out to exercise the following rights:
- Right to request for and access their Personal Information collected and stored. Where data is held electronically in a structured form, such as in a Database, the Data Subject has a right to receive that data in a common electronic format;
- Right to information on their personal information collected and stored;
- Right to objection or request for restriction;
- Right to object to automated decision making;
- Right to request rectification and modification of Personal Information which Kora keeps;
- Right to request for deletion of their data;
- Right to request the movement of data from Kora to a third party; this is the right to the portability of data; and
- Right to object to, and to request that Kora restricts the processing of their information.
Such requests will be reviewed by Kora’s Data Protection Officer and carried out except as restricted by law or Kora’s statutory obligations. You may decline to provide your personal Information when it is requested by Kora, however, certain services or all the services may be unavailable to you. You may review your account settings and update your Personal Information directly or by contacting us.
We will retain your information (i) for as long as your account is active, (ii) as necessary to provide our services to you, (iii) to comply with our legal and statutory obligations, or (iv) to verify your information with a payment partner.
Kora is statutorily obligated to retain some of the data you provide us with in order to process transactions, ensure settlements, make refunds, identify fraud and in compliance with laws and regulatory guidelines applicable to us, our banking providers and card processors.
Therefore, even after closing your Kora account, we will retain certain Personal Information and transaction data to comply with these obligations. All Personal Information shall be destroyed by Kora where possible. For all Personal Data and records obtained, used and stored by Kora, we shall perform periodical reviews of the data retained to confirm the accuracy, purpose, validity and requirement to retain.
The length of storage of Personal Information shall, amongst other things, be determined by:
- the contract terms agreed between Kora and the Data Subject or as long as it is needed for the purpose for which it was obtained; or
- whether the transaction or relationship has statutory implication or a required retention period; or
- whether there is an express request for deletion of Personal Data by the Data Subject, provided that such request will only be treated where the Data Subject is not under any investigation which may require Kora to retain such Personal Data or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Data; or
- whether Kora has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.
If you have any questions relating to this Privacy Notice or would like to find out more about exercising your data protection rights, please reach out to us via email at firstname.lastname@example.org.
Business Address - 180, Admiralty way, Lekki Phase 1, Lagos, Nigeria.