🔐 GDPR at a glance — your key rights
AccessGet a copy of all data we hold about you
RectificationCorrect inaccurate or incomplete data
ErasureRequest deletion of your personal data
PortabilityReceive your data in a machine-readable format
RestrictionPause processing while disputes are resolved
ObjectOpt out of processing based on legitimate interest
No ProfilingNot subject to purely automated decision-making
Withdraw ConsentRevoke consent for optional processing at any time
To exercise any right: privacy@afrilinkpay.com — we respond within 30 days.
1. Who We Are
AfriLink Pay Ltd ("AfriLink Pay", "we", "us", or "our") is the data controller for personal information collected through our platform. We are incorporated in Ghana and operate across 54 African countries.
Our Data Protection Officer (DPO) is responsible for overseeing compliance with data protection law and handling all privacy-related enquiries:
If you are an EU or UK resident, you have the right to lodge a complaint with your local data protection authority if you are unsatisfied with how we handle your data.
2. Data We Collect
We collect only the data necessary to provide our Services safely and in compliance with applicable law.
| Category |
Examples |
Purpose |
| Identity data |
Full name, date of birth, national ID number, passport, selfie/liveness check |
KYC verification as required by AML regulations |
| Contact data |
Email address, phone number, country of residence |
Account management, transaction notifications, customer support |
| Financial data |
Transaction amounts, currency, bank account numbers, wallet addresses, IBAN/SWIFT details |
Payment processing, transaction history, dispute resolution |
| Device & usage data |
IP address, device type, operating system, browser, session timestamps, feature usage |
Fraud prevention, security monitoring, service improvement |
| Biometric data |
WebAuthn cryptographic proof only — biometric template stays on your device; we never receive raw biometric data |
Passwordless authentication (optional feature) |
We do not collect sensitive special-category data (health, religion, political opinions, sexual orientation) unless you voluntarily disclose this in a support communication, in which case we use it only to address your query.
3. Legal Bases for Processing
Under GDPR Article 6, we process your personal data under the following legal bases:
- Contract performance (Article 6(1)(b)): Processing your payments, maintaining your account, and delivering the Services you have requested.
- Legal obligation (Article 6(1)(c)): KYC/AML verification, transaction reporting, and regulatory record-keeping as required by financial regulators in Ghana, Kenya, Nigeria, and other jurisdictions where we are licensed.
- Legitimate interest (Article 6(1)(f)): Fraud prevention, security monitoring, network integrity, and improving the reliability of our platform — where these interests are not overridden by your rights.
- Consent (Article 6(1)(a)): Marketing communications, optional features such as personalised transaction insights, and any processing not covered by the above bases. You may withdraw consent at any time.
4. How We Use Your Data
- Payment processing: Routing your transaction through the appropriate payment rail, converting currencies, and crediting the recipient.
- KYC and AML compliance: Verifying your identity, screening against sanctions lists, and meeting regulatory reporting obligations.
- Fraud detection and prevention: Identifying unusual patterns, blocking suspicious transactions, and protecting the integrity of the network.
- Customer support: Resolving transaction disputes, answering queries, and improving our helpdesk responses.
- Legal compliance: Responding to lawful requests from regulators, courts, or law enforcement; maintaining records as required by law.
- Product improvement: Aggregate, anonymised analysis of platform usage to improve reliability and user experience. Individual transaction data is never used for this purpose without anonymisation.
- Marketing (consent only): Sending updates about new features, corridors, or promotions — only if you have opted in. You can unsubscribe at any time.
5. Data Sharing
We share your data only as necessary to deliver our Services. We do not sell your personal data. Ever.
- Payment providers: Paystack, Flutterwave, M-Pesa (Safaricom), MTN Mobile Money, and other licensed payment processors — who receive only the data necessary to execute your specific transaction.
- KYC/AML partners: Licensed identity verification providers who assist with document verification and sanctions screening.
- Cloud infrastructure: Hosting and database providers operating under strict data processing agreements, with servers located in Africa and the EU where possible.
- Regulators and authorities: Financial Intelligence Units, central banks, and law enforcement — when legally required or as part of our licensing obligations. We will always seek to notify you where legally permitted to do so.
- Group companies: Subsidiaries or affiliated entities of AfriLink Pay Ltd, where necessary to provide the Services.
All third parties who receive your data are contractually required to process it only for the specified purpose and to maintain appropriate security standards.
6. International Transfers
AfriLink Pay operates across 54 countries, and some data transfers occur across borders. We ensure these transfers are lawful by relying on:
- Adequacy decisions: Where the destination country has been deemed adequate by the relevant data protection authority (e.g., EU Commission adequacy decisions).
- Standard Contractual Clauses (SCCs): For transfers to processors outside Africa or the EU that do not benefit from adequacy decisions, we use the European Commission's approved SCCs.
- NDPR compliance: For Nigerian users' data transferred internationally, we comply with the requirements of Nigeria's National Data Protection Regulation, including data localisation requirements where applicable.
- Other African frameworks: We comply with applicable data transfer rules in each country where we are licensed, including Ghana's Data Protection Act.
7. Your Rights
Depending on your location and applicable law, you have the following rights regarding your personal data:
- Right to access: Request a copy of all personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data, where we are not legally required to retain it.
- Right to data portability: Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
- Right to restrict processing: Ask us to pause processing your data while you contest its accuracy or our right to process it.
- Right to object: Object to processing based on legitimate interest, including profiling.
- Rights related to automated decision-making: Not be subject to decisions made solely by automated processing that produce legal or similarly significant effects. If such processing occurs, you have the right to human review.
- Right to withdraw consent: Revoke consent for any processing based on consent at any time, without affecting the lawfulness of prior processing.
For EU/UK users (GDPR / UK GDPR)
Email privacy@afrilinkpay.com with the subject line "Data Rights Request — GDPR". We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, CNIL in France).
For Nigerian users (NDPR)
Email privacy@afrilinkpay.com with the subject line "Data Rights Request — NDPR". You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).
For all other users
Email privacy@afrilinkpay.com. We will respond within 30 days and comply with applicable local data protection law.
8. Data Retention
| Data type |
Retention period |
Legal basis for retention |
| Transaction records |
7 years from transaction date |
AML and tax regulatory requirements |
| Account data |
Duration of account activity + 2 years after closure |
Contract performance; dispute resolution |
| KYC documents |
5 years from last transaction |
Regulatory requirement across licensed jurisdictions |
| Device & usage logs |
13 months |
Fraud prevention; security investigation |
| Support correspondence |
3 years from resolution |
Legitimate interest; dispute evidence |
| Marketing preferences |
Until consent is withdrawn |
Consent |
Once retention periods expire, data is securely deleted or irreversibly anonymised. You may request early deletion for data not subject to mandatory retention requirements.
9. Security
We apply industry-standard security controls to protect your data:
- Encryption at rest: AES-256 encryption for all stored personal and financial data.
- Encryption in transit: TLS 1.3 for all data transmitted between your device and our servers.
- Multi-factor authentication: Available for all accounts and strongly recommended. TOTP and WebAuthn biometrics are supported.
- WebAuthn biometric authentication: Where used, biometric templates are stored exclusively on your device. We receive only a cryptographic proof — your fingerprint or face data never leaves your device.
- Regular penetration testing: Conducted by independent third-party security firms at least annually.
- SOC 2 certification: In progress. We follow SOC 2 Type II principles now; formal certification is an active initiative.
- Access controls: Strict role-based access control (RBAC) for all staff. Personal data is accessible only on a need-to-know basis.
- Security incident response: A dedicated team monitors for threats 24/7. We will notify affected users of a data breach within 72 hours of discovery, as required by applicable law.
10. Cookies
We use a minimal cookie policy aligned with our commitment to privacy:
- Session cookies (essential): Necessary for authentication and maintaining your session. These are deleted when you close your browser.
- Preference cookies (functional): Store your theme preference (dark/light mode) locally. No server-side processing.
We do not use:
- Third-party tracking cookies
- Advertising or retargeting cookies
- Analytics cookies from third parties (e.g., Google Analytics)
- Cross-site tracking of any kind
Any internal analytics we conduct use aggregated, anonymised server logs only — not browser-level tracking.
11. Children's Privacy
AfriLink Pay does not knowingly collect personal data from anyone under the age of 18. Our Services are not directed at children. If you believe we have inadvertently collected data from a minor, please contact privacy@afrilinkpay.com immediately and we will delete it without delay.
12. Updates to this Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this document.
- Send a notification to your registered email address.
- Display a prominent banner in the application.
For changes that materially affect your rights or how we process your data, we will seek fresh consent where required. The current version of this Policy is always available at our website.
13. Contact Our DPO
For any privacy-related questions, requests to exercise your rights, or concerns about how we handle your data:
- Email: privacy@afrilinkpay.com
- Subject line for rights requests: "Data Rights Request — [GDPR / NDPR / General]"
- Response time: Within 30 days of receipt
- Postal address: Data Protection Officer, AfriLink Pay Ltd, Airport City, Accra, Ghana