Privacy Policy

1. Who We Are

Reciiva ("we", "us", "our") is a supply chain finance marketplace that connects suppliers, anchor buyers (corporates), and lenders through an invoice discounting platform. The platform is operated by Reciiva Technologies ("the Company"), incorporated and operating in Nigeria.

For the purposes of the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), Reciiva is the Data Controller of personal data processed through our platform and website. We are obligated to comply with the Nigeria Data Protection Commission (NDPC) framework and all applicable Nigerian financial and privacy regulations.

2. Data We Collect

We collect different categories of data depending on your role on the platform. We only collect what is necessary for the purpose stated.

2.1 All Users (Account Data)

• Email address — used for authentication, email verification, and transactional notifications.
• Password — stored as a one-way bcrypt hash. We never store your plaintext password.
• Role — supplier, anchor, lender, or admin.
• Email verification status and timestamp.
• Account status — active, suspended, pending.

2.2 Suppliers

• Business identity: company name, RC number (CAC registration), sector/industry.
• Contact details: contact email address and phone number.
• KYC status: pending, verified, watchlist, or rejected — and the associated documents submitted to achieve that status.
• Financial health data: supplier health score computed from payment history and invoice activity.
• Invoice data: invoice numbers, invoice amounts, issue dates, due dates, purchase order (PO) numbers, descriptions, and tenor (payment period in days).
• Invoice documents: uploaded PDF or image copies of invoices, purchase orders, and bank statements.
• Transaction data: advance amounts received, discount rates applied, funding dates, and repayment dates.
• Comments and correspondence: messages exchanged with lenders and anchors within the platform.

2.3 Anchor Buyers (Corporates)

• Business identity: company name, RC number, sector, procurement email address.
• Contact details: contact name and phone number.
• Payment terms: standard payment terms in days offered to your suppliers.
• ERP / integration type: how you connect to our platform (ERP, webhook, SFTP, or manual).
• Validation activity: records of invoices you approved or rejected, including any PO-match evidence and comments.
• Payment evidence: documents uploaded to confirm payment to lenders (e.g. bank transfer receipts).

2.4 Lenders — Institutions

• Business identity: organisation name, institution type (bank, NBFC, asset manager, DFI), website, and registered address.
• Contact details: contact email, phone number, compliance officer name, operations contact, and settlement contact.
• Appetite parameters: facility limit, maximum single exposure, maximum tenor days, rate range, preferred and excluded sectors.
• Compliance documents: NDPR/Data Processing Agreement, Board Mandate or Authorisation Letter, Signatory Mandate, and AML/KYC Policy Document.
• Portfolio data: funded invoices, deployed amounts, repayment history, and default rates.

2.5 Lenders — Individual Investors

Individual investors undergo an enhanced KYC process as required by CBN AML/KYC guidelines and the NDPA 2023:

• Full name, email address, phone number, and residential address.
• Bank Verification Number (BVN) — collected under CBN BVN guidelines for identity verification.
• National Identification Number (NIN) — collected under the NIMC Act 2007 for identity verification.
• Date of birth — to confirm legal age and prevent under-age participation.
• Gender — collected for regulatory reporting purposes.
• Occupation — to assess source of funds for AML compliance.
• KYC documents: valid government-issued photo ID, 6-month bank statement, proof of address, and BVN/NIN consent form.
• Investment activity: capital deployed, deals funded, returns received.

2.6 Technical and Usage Data (All Users)

• IP address — logged on every authenticated action for security auditing and fraud prevention.
• Browser/user-agent string — logged on login events for suspicious access detection and login alert emails.
• Session tokens: short-lived authentication tokens stored securely in your browser and cleared on logout.
• Audit log entries: an immutable record of every significant action you take on the platform (submit invoice, send offer, fund, repay), including user ID, action type, entity, timestamp, and IP address. These records cannot be deleted.
• Credit analysis data: AI-generated credit memos produced by our scoring engine, including cashflow analysis, risk signals, anomaly flags, and qualitative assessment.

3. How We Use Your Data

3.1 Platform Operations

• Creating and managing your account and maintaining your session securely.
• Processing invoice submissions, anchor validations, and the full funding lifecycle.
• Generating AI-powered credit analyses to facilitate informed lending decisions.
• Routing funding offers between lenders and suppliers and tracking offer negotiations.
• Sending transactional emails: email verification, password reset, offer received, offer accepted, login alerts, and repayment confirmation.
• Delivering in-app notifications for real-time deal activity.

3.2 Identity Verification and KYC/AML Compliance

• Verifying the identity of individuals and businesses as required by the CBN Anti-Money Laundering (AML) and Know Your Customer (KYC) guidelines.
• Cross-referencing BVN and NIN data with NIBSS (Nigeria Inter-Bank Settlement System) and NIMC databases.
• Screening against sanctions lists and watchlists published by the NFIU and EFCC for AML/CFT compliance.
• Maintaining KYC records for the minimum statutory period required by CBN AML/CFT Regulations 2022.

3.3 Credit Scoring and Risk Assessment

• Computing supplier health scores from invoice history, payment performance, and anchor relationships.
• Generating AI credit memos that assess invoice risk, supplier cashflow, and anchor payment behaviour.
• Matching eligible invoices to lenders based on their declared appetite parameters.

3.4 Security and Fraud Prevention

• Logging IP addresses and user-agent strings to detect suspicious login activity and send proactive login alerts.
• Maintaining an immutable audit trail to detect, investigate, and prevent fraud or abuse.
• Rate-limiting API requests to prevent automated attacks.

3.5 Legal and Regulatory Obligations

• Complying with the Nigeria Data Protection Act 2023 (NDPA), NDPR 2019, CBN regulations, FCCPC guidelines, NIMC Act 2007, and other applicable Nigerian laws.
• Responding to lawful requests from the Nigeria Data Protection Commission (NDPC), NITDA, CBN, EFCC, NFIU, or other competent Nigerian authorities.
• Retaining financial and KYC records for the minimum statutory retention periods under Nigerian law.

3.6 Platform Improvement

• Aggregated, anonymised analysis of platform usage to improve features and user experience. Individual users are not identified in such analysis.

4. Legal Basis for Processing

Under the NDPA 2023 and NDPR 2019, we rely on the following lawful bases for processing your personal data:

Where we rely on legitimate interest, we have balanced that interest against your rights as a data subject under the NDPA 2023 and do not believe it overrides them. You may object to such processing — see Section 8.

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only in the following circumstances:

5.1 Within the Platform (Between Participants)

• Suppliers and Anchors: Anchors can see the invoices you submit that are associated with them. They do not see your financial account data or KYC documents.
• Suppliers and Lenders: When a lender reviews an eligible invoice, they see the invoice details and AI credit memo. They do not see your raw KYC documents or BVN/NIN.
• Lenders and Admins: Platform admins have full visibility for operational and compliance purposes.

5.2 Third-Party Service Providers (Data Processors)

We engage vetted third-party processors under written Data Processing Agreements (DPAs) in compliance with Section 28 of the NDPA 2023. These processors handle data strictly on our behalf and may not use it for their own purposes. The categories of processors we use include:

• Cloud hosting and infrastructure: Our platform is hosted on secure cloud infrastructure with data encrypted in transit and at rest.
• Database services: Structured data is stored in a managed, encrypted database with access restricted to authorised application processes only.
• File storage: Uploaded documents (invoices, KYC files, payment evidence) are stored in cloud object storage with strict access controls.
• Email delivery: Transactional emails are sent via a third-party email service provider. Only your email address and the content of the specific email are shared.
• AI-assisted analysis: Invoice and supplier data is processed by an enterprise-grade AI partner to generate credit memos. Our agreement with this provider prohibits use of your data for model training.
• Identity verification — NIBSS / NIMC: BVN data may be verified against the Nigeria Inter-Bank Settlement System (NIBSS) database; NIN data against the National Identity Management Commission (NIMC), as permitted under their respective enabling legislation.

5.3 Legal Disclosures

We may disclose your data to:

• The Nigeria Data Protection Commission (NDPC) or NITDA in response to lawful regulatory requests under the NDPA 2023.
• The Central Bank of Nigeria (CBN), EFCC, NFIU, or other competent Nigerian financial regulators when legally required.
• Law enforcement agencies in response to a valid Nigerian court order, subpoena, or warrant issued under applicable Nigerian law.

We will notify you of such requests unless prohibited by law from doing so.

5.4 Business Transfers

If Reciiva is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will provide notice and, where required by the NDPA 2023, seek your consent before such a transfer.

6. Cross-Border Data Transfers

Our primary operations are in Nigeria. However, because we use cloud service providers that may operate data centres outside Nigeria, some of your data may be processed internationally.

All cross-border transfers of personal data are conducted in compliance with Section 43 of the NDPA 2023, which requires that we only transfer data to a foreign country or international organisation where:

• The receiving country has been designated by the NDPC as providing an adequate level of data protection; or
• Appropriate safeguards are in place, such as Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) that bind processors to equivalent data protection obligations; or
• The transfer is necessary for the performance of a contract to which you are a party.

We maintain written DPAs with all third-party processors that receive Nigerian personal data. Copies of applicable transfer safeguards are available on request — contact hello@reciiva.com.

7. Data Retention

We retain your data for as long as necessary to fulfil the purposes described in this policy, or for the minimum statutory periods required under Nigerian law, whichever is longer.

When retention periods expire, data is securely deleted or anonymised in accordance with NDPC guidelines. Note that audit log entries cannot be deleted — they are an immutable compliance record. Where this conflicts with a deletion request, we will anonymise the personal identifiers within the log rather than delete the entry.

8. Your Rights Under Nigerian Law

As a data subject under the Nigeria Data Protection Act 2023 (NDPA) and the NDPR 2019, you have the following rights:

• Right to be informed — to know what data we collect and how we use it. This policy fulfils that obligation under Section 24 of the NDPA 2023.
• Right of access — to request a copy of the personal data we hold about you (NDPA s.34).
• Right to rectification — to request correction of inaccurate or incomplete data (NDPA s.35).
• Right to erasure — to request deletion of your data where there is no lawful basis for continued processing (NDPA s.36). Statutory retention obligations and immutable audit logs may limit this right.
• Right to restrict processing — to request that we pause processing your data in certain circumstances (NDPA s.37).
• Right to data portability — to receive your data in a structured, machine-readable format (NDPA s.38).
• Right to object — to object to processing based on legitimate interest or for direct marketing (NDPA s.39).
• Right not to be subject to solely automated decision-making — our AI credit scoring is used to inform lending decisions; no binding decision is made without human review (NDPA s.41).
• Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to Lodge a Complaint

If you believe your data protection rights have been violated, you may lodge a complaint with the:

• Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng — the competent supervisory authority under the NDPA 2023.
• Federal Competition and Consumer Protection Commission (FCCPC) — for consumer rights aspects of data misuse.

How to Exercise Your Rights

To exercise any of the rights above, contact our Data Protection Officer:

• Email: hello@reciiva.com
• Subject line: "Data Subject Request — [Right You Are Exercising]"

We will respond within 30 days as required by the NDPA 2023. We may request proof of identity before processing your request to prevent unauthorised access to your data.

9. Security Measures

We implement technical and organisational measures appropriate to the risk, in line with Section 38 of the NDPA 2023 and NDPC security guidelines:

• Passwords are hashed using an industry-standard one-way algorithm. Plaintext passwords are never stored or logged.
• Authentication uses short-lived session tokens with automatic expiry. Logging out immediately invalidates your session.
• Data in transit is encrypted using industry-standard protocols on all connections between your browser and our servers.
• Database access is restricted to authorised application processes only. Direct public access is disabled.
• Access control: all platform endpoints require valid authentication; role-based permissions prevent cross-role data access; automated rate limiting is applied to all endpoints.
• Audit logs are append-only. No user — including admins — can modify or delete audit entries.
• Document storage uses access-controlled cloud object storage. Documents are not publicly accessible without authorisation.
• Login alerts: if you log in from a new device or IP, we send an alert to your registered email address.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, and notify affected data subjects without undue delay, as required by Section 40 of the NDPA 2023.

10. Cookie Policy

10.1 Our Platform Application

The Reciiva platform application does not use browser cookies for authentication or session management. Session tokens are stored locally on your device and are not transmitted as HTTP cookies.

What this means for you: Your session data stays on your device until you log out or until your session expires naturally. Logging out immediately clears your session.

10.2 This Website

This marketing website is a static HTML page that loads the following third-party resources, which may set cookies or access local storage on your device:

10.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse, delete, or be notified about cookies. Disabling certain cookies may affect how this website displays. To end your Reciiva session, simply log out — this immediately clears your session data.

For further guidance on managing cookies, visit aboutcookies.org.

11. Children's Privacy

Reciiva is a financial services platform intended exclusively for use by businesses and individuals aged 18 and over, consistent with Nigerian legal capacity for financial transactions. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with their information, please contact us at hello@reciiva.com and we will promptly delete that data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, regulatory requirements, or platform features. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Send an email notification to all registered users at least 14 days before the changes take effect, where the change materially affects your rights as required under the NDPA 2023.
• For changes required by Nigerian law or regulatory directive, we may apply them immediately and notify you as soon as practicable.

Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

13. Contact Us & Data Protection Officer

If you have any questions about this policy, wish to exercise your data rights, or want to report a concern, please contact:

Nigerian Regulatory Authorities

If you are not satisfied with our response, you may escalate to the relevant Nigerian authority:

• Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng — the primary supervisory authority under the NDPA 2023.
• National Information Technology Development Agency (NITDA) — nitda.gov.ng — for NDPR-related matters.
• Central Bank of Nigeria (CBN) — cbn.gov.ng — for financial data and KYC-related concerns.
• Federal Competition and Consumer Protection Commission (FCCPC) — fccpc.gov.ng — for consumer protection matters.