Privacy Policy
1. Introduction
Welcome to Subsecute (subsecute.com). Subsecute is a subscription management platform that allows Nigerian residents to create, fund, and manage their subscriptions using virtual cards funded from Naira and USD wallets.
This Privacy Policy explains how Subsecute, operated by Trust Commerce ("we," "us," or "our"), collects, uses, stores, shares, and protects your personal data when you use our mobile application, website, and related services (collectively, the "Service").
We are committed to protecting your personal data in accordance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act 2023, and all applicable guidelines issued by the Nigeria Data Protection Commission (NDPC) and the Central Bank of Nigeria (CBN).
By creating an account or using Subsecute, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein. If you do not agree, please do not use our Service.
Before we collect your BVN and identity documents, we will request your explicit consent through a clear, affirmative action separate from your agreement to these general terms.
2. Definitions
- "Personal Data" means any information that relates to an identified or identifiable individual, including but not limited to name, email address, phone number, BVN, financial data, and identification documents.
- "Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
- "Data Controller" means Trust Commerce (operating as Subsecute), which determines the purposes and means of processing your personal data.
- "Data Processor" means any third party that processes personal data on behalf of the Data Controller.
- "NDPR" means the Nigeria Data Protection Regulation 2019, as amended or supplemented.
- "CBN" means the Central Bank of Nigeria.
- "BVN" means Bank Verification Number, a unique identification number issued by the CBN to every bank account holder in Nigeria.
- "KYC" means Know Your Customer, the process of verifying the identity of users as required by Nigerian financial regulations.
3. Data We Collect
We collect and process the following categories of personal data:
| Category | Specific Data | Purpose |
|---|---|---|
| Account Information | Email address, phone number, first name, last name, username, password (stored as a cryptographic hash) | Account creation, authentication, and communication |
| Identity / KYC Data | Date of birth, BVN (Bank Verification Number), government-issued ID documents (front and back images), ID type, ID number, issue date, expiry date | Identity verification as required by CBN KYC regulations and anti-money laundering laws |
| Address Data | Street address, city, state, country, postal code | KYC compliance, virtual card issuance, and regulatory requirements |
| Financial Data | Payment card details (last 4 digits only, card type, expiry date, bank name, BIN), bank account numbers, wallet balances (NGN and USD), full transaction history | Payment processing, wallet funding, transaction records, and regulatory reporting |
| Subscription Data | Merchant name, subscription amount, billing interval, status, next due date | Subscription tracking, renewal management, and billing reminders |
| Virtual Card Data | Virtual card details issued by Sudo Africa (full PAN masked internally; only last 4 digits displayed to you) | Virtual card provisioning and subscription payments |
| Device Information | Device token, device type (iOS, Android, or Web) | Push notification delivery and device-specific service optimisation |
| Activity & Log Data | Recent activity logs, notification delivery logs, external API call logs | Service monitoring, debugging, security audits, and fraud prevention |
Important note about sensitive data: Your BVN and government-issued ID documents are classified as sensitive personal data under the NDPR. We collect these only because they are legally required for KYC compliance under CBN regulations. We will never use your BVN or ID documents for any purpose other than identity verification and regulatory compliance.
4. How We Collect Your Data
We collect personal data through the following methods:
- Directly from you — when you create an account, complete KYC verification, add a payment method, create a subscription, or contact our support team.
- Through Google OAuth2 — if you choose to sign in with Google, we receive your name and email address from your Google account. We do not access your Google contacts, calendar, or any other Google data.
- Automatically from your device — device token and device type are collected when you install the app and enable push notifications.
- From third-party payment processors — Paystack provides us with masked card details (last 4 digits, card type, and bank name) when you add a payment card. We never receive or store your full card number.
- From Sudo Africa — virtual card details are generated by Sudo Africa and relayed to your account. Full card numbers (PANs) are masked in our systems; only the last 4 digits are shown to you.
- Generated through your use of the Service — transaction history, activity logs, and subscription data are created as you use Subsecute.
5. Why We Process Your Data
We process your personal data for the following specific purposes:
5.1 Service Delivery
- Creating and managing your Subsecute account
- Issuing virtual cards for your subscriptions
- Processing wallet funding and subscription payments
- Processing bill payments (airtime, data, cable TV, electricity)
- Converting currencies between NGN and USD
- Sending transaction confirmations and subscription renewal reminders
5.2 Legal and Regulatory Compliance
- Verifying your identity (KYC) as required by CBN regulations
- Anti-money laundering (AML) and counter-terrorism financing (CTF) compliance
- Maintaining transaction records as required by Nigerian financial regulations
- Responding to lawful requests from regulatory authorities
5.3 Security and Fraud Prevention
- Detecting and preventing fraudulent transactions
- Monitoring for unauthorised access to your account
- Rate limiting API requests to protect against abuse
- Maintaining audit trails through activity and API logs
5.4 Communication
- Sending email verification and password reset messages
- Delivering push notifications for transaction alerts and subscription reminders
- Notifying you of important changes to our Service or this Privacy Policy
5.5 Service Improvement
- Analysing anonymised and aggregated usage patterns to improve our Service
- Debugging technical issues using API and activity logs
We will never sell your personal data to third parties. We will never use your data for automated decision-making or profiling that produces legal effects on you without your explicit consent.
6. Legal Basis for Processing
Under the NDPR, we process your personal data based on the following lawful grounds:
| Legal Basis | Applies To |
|---|---|
| Your Consent | Push notification delivery and email communications (other than those required for service delivery) |
| Performance of Contract | Account creation, Google OAuth2 login, processing payments, issuing virtual cards, managing subscriptions, delivering the core Service you signed up for |
| Legal Obligation | KYC/identity verification, BVN collection, maintaining transaction records, AML/CTF compliance, responding to regulatory requests from CBN or other authorities |
| Legitimate Interest | Fraud prevention, security monitoring, service debugging, and aggregated analytics for service improvement |
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Please note that withdrawing consent for certain processing activities may affect our ability to provide you with the Service.
7. Third-Party Service Providers
We share your personal data with the following third-party processors who help us deliver our Service. Each processor is bound by a data processing agreement that requires them to protect your data and use it only for the purposes we specify.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Paystack | Payment processing (wallet funding via cards and bank transfers) | Payment card details, bank account info, transaction amounts | Nigeria |
| Sudo Africa | Virtual card issuance and management | Name, identity data, address, funding amounts | Nigeria / Africa |
| SafeHaven MFB | Bill payments (airtime, data, cable TV, electricity) | Phone numbers, account numbers, payment amounts | Nigeria |
| Keycloak (self-hosted) | User authentication, password management | Email, username, hashed password | Our servers |
| OAuth2 login option | Email and name (only if you choose Google sign-in) | Global (Google Cloud) | |
| Amazon Web Services (AWS) | S3 file storage, SES email delivery, SNS push notifications, CloudFront CDN | KYC documents (S3), email addresses (SES), device tokens (SNS) | EU-West-1 (Ireland) |
| Firebase (FCM) | Push notification delivery | Device tokens | Google Cloud |
| MailerSend | Transactional email delivery | Email address, name | EU |
| ExchangeRate API | Currency conversion rates (NGN/USD) | No personal data shared | Global |
| Logo.dev | Merchant logo display | No personal data shared | Global |
We do not share your personal data with any third party for marketing purposes. We will only disclose your data to law enforcement or regulatory authorities when legally required to do so.
8. International Data Transfers
Some of your personal data is transferred to and stored in locations outside Nigeria:
- AWS EU-West-1 (Ireland) — KYC documents stored in S3, emails sent via SES, push notifications via SNS, and content delivered via CloudFront. The European Union provides an adequate level of data protection under the GDPR.
- Google Cloud (global) — Push notification delivery via Firebase Cloud Messaging and, if you use Google sign-in, authentication via Google OAuth2.
- MailerSend (EU) — Transactional email delivery.
For all international transfers, we ensure that appropriate safeguards are in place as required by the NDPR, including:
- Transferring data only to jurisdictions that provide an adequate level of data protection, or
- Executing standard contractual clauses or binding data processing agreements with the receiving party, and
- Implementing technical measures such as encryption in transit (TLS) and at rest
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Data (name, email, phone, username) | Until you request account deletion | Required for ongoing service delivery |
| KYC / Identity Documents (ID images, BVN, date of birth) | Minimum 5 years after account closure | CBN/NDPR regulatory requirements for financial service providers |
| Transaction Records | As required by Nigerian financial regulations (minimum 5 years) | CBN regulatory compliance, AML/CTF obligations |
| API Logs | 30 days (automatically deleted) | Service monitoring and debugging |
| Activity & Notification Logs | 12 months, then anonymised or deleted | Security audits and service improvement |
| Device Tokens | Until you uninstall the app or disable notifications | Push notification delivery |
When data is no longer needed, it is securely deleted or irreversibly anonymised. KYC documents stored in AWS S3 are accessible only via signed URLs that expire after 1 hour, limiting exposure even within our own systems.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:
Technical Measures
- Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
- Password security: Passwords are never stored in plain text. They are cryptographically hashed using Keycloak's built-in hashing algorithms.
- Card number masking: Full card numbers (PANs) for virtual cards are never displayed. Only the last 4 digits are shown to you. Paystack-linked card details are similarly masked.
- Signed document URLs: KYC documents stored in AWS S3 are accessible only through CloudFront signed URLs that expire after 1 hour.
- JWT authentication: We use stateless, token-based authentication (JSON Web Tokens), which reduces the risk of session hijacking.
- Rate limiting: All API endpoints are rate-limited to prevent brute-force attacks and abuse.
- Regular monitoring: We conduct ongoing security monitoring to detect and respond to potential threats.
Organisational Measures
- Access to personal data is restricted to authorised personnel on a need-to-know basis.
- Third-party processors are contractually required to maintain equivalent security standards.
- We regularly review and update our security practices.
Encryption at Rest
Personal data stored in our databases is encrypted at rest using industry-standard encryption.
Breach Notification
In the event of a personal data breach, we will notify the Nigeria Data Protection Commission within 72 hours and notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
While we take extensive measures to protect your data, no method of electronic transmission or storage is 100% secure. If you become aware of any security breach or unauthorised use of your account, please contact us immediately at privacy@subsecute.com.
11. Your Rights Under Nigerian Data Protection Law
As a data subject under the Nigeria Data Protection Regulation, you have the following rights:
- Right to Access: You may request a copy of the personal data we hold about you. We will provide this within 30 days of your request.
- Right to Rectification: You may request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to Deletion (Erasure): You may request that we delete your personal data. Please note that certain data (such as KYC documents and transaction records) must be retained to comply with CBN regulations and cannot be deleted upon request until the mandatory retention period has expired.
- Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format so that you can transfer it to another service provider. Data portability will be provided in CSV or JSON format for data you have directly provided to us.
- Right to Object: You may object to the processing of your personal data where we rely on legitimate interest as the legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time. This will not affect the lawfulness of processing carried out before the withdrawal.
- Right to Restrict Processing: You may request that we limit how we process your personal data in certain circumstances, such as while we verify the accuracy of your data or assess an objection you have raised.
How to Exercise Your Rights
To exercise any of these rights, please contact us at:
- Email: privacy@subsecute.com
- Subject line: "Data Subject Request — [Your Right]"
We will acknowledge your request within 7 days and respond substantively within 30 days. If we need more time due to the complexity of your request, we will notify you and provide a reason for the extension.
We may need to verify your identity before processing your request. We will never charge a fee for exercising your rights unless your request is manifestly unfounded or excessive.
Account Deletion
You may request full deletion of your account by emailing privacy@subsecute.com. Upon account deletion:
- Your account and login credentials will be permanently deactivated.
- Your wallet balances must be withdrawn before deletion can proceed.
- Active subscriptions will be cancelled.
- KYC documents and transaction records will be retained for the legally required period (minimum 5 years), then permanently deleted.
- API logs and activity logs will be deleted according to their standard retention schedules.
12. Children's Privacy
Subsecute is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. Our KYC verification process includes date of birth verification to prevent minors from creating accounts.
If you believe that a child under 18 has provided us with personal data, please contact us at privacy@subsecute.com and we will promptly delete the data and close the account.
13. Cookies & Tracking Technologies
Subsecute does not use cookies, web beacons, pixel tags, or any other browser-based tracking technologies.
Our authentication system is entirely JWT-based (JSON Web Tokens), which means no cookies are set on your device for authentication purposes. We do not use any third-party analytics or advertising trackers.
14. Communications & Notifications
We send you communications through the following channels:
Email Notifications
- Email verification — sent when you create your account (required)
- Password reset — sent when you request a password reset (required)
- Subscription renewal reminders — sent 3 days before a subscription is due for renewal
- Transaction confirmations — sent after each transaction
Push Notifications
- Transaction alerts — real-time notifications for wallet and subscription transactions
- Subscription reminders — reminders for upcoming subscription renewals
- System updates — important updates about the Service
You can manage your push notification preferences in your device settings. Transactional emails related to your account security (verification, password reset) cannot be opted out of while your account is active, as they are necessary for the operation of the Service.
15. Transaction Fees
Information about transaction fees is set out in our Terms of Service.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- We will update the "Last Updated" date at the top of this page.
- For material changes, we will notify you by email or through an in-app notification at least 14 days before the changes take effect, except where a shorter notice period is required to comply with a legal obligation or regulatory directive.
- If the changes involve new processing of sensitive data or a new purpose for existing data, we will seek your explicit consent before applying those changes.
We encourage you to review this Privacy Policy periodically. Your continued use of Subsecute after the effective date of a revised policy constitutes your acceptance of the changes.
This Privacy Policy is governed by the laws of the Federal Republic of Nigeria.
17. Complaints & Dispute Resolution
If you believe that your data protection rights have been violated, you have the right to:
- Contact us first — Please reach out to us at privacy@subsecute.com. We will investigate your complaint and respond within 30 days.
- Lodge a complaint with the NDPC — If you are not satisfied with our response, you may file a complaint with the Nigeria Data Protection Commission (NDPC), the supervisory authority responsible for enforcing the NDPR.
18. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- General enquiries: hello@subsecute.com
- Privacy & data protection: privacy@subsecute.com
- Company: Trust Commerce (operating as Subsecute)
- Location: Nigeria
- Website: subsecute.com
- Data Protection Officer: dpo@subsecute.com