BitscardBitscardPrivacy Policy for Bitscard.app
Introduction
Bitscard.app (“Bitscard”, “we”, “our”, or “us”) is a leading Nigerian fintech company offering an integrated suite of financial services, including cryptocurrency exchange, fiat transfers, local and international USD ACH accounts, buying and selling of gift cards, and creation of virtual dollar cards. We are committed to ensuring the security, privacy, and protection of our users’ (“you”, “your”) personal data in accordance with Nigeria’s legal and regulatory requirements and global industry best practices. This Privacy Policy details how Bitscard collects, uses, processes, shares, transfers, and secures your personal information, while also outlining your rights as a data subject under relevant Nigerian data privacy and consumer protection laws.
We adhere to the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025, the Nigeria Data Protection Regulation (NDPR) 2019, Central Bank of Nigeria (CBN) regulations, Securities and Exchange Commission (SEC) and other applicable legislative instruments, along with standards set forth by the Nigeria Data Protection Commission (NDPC) and supplementary sectoral guidelines.
Scope of the Policy
This policy applies to all users of Bitscard.app platforms, including websites, mobile applications, products, and services, as well as potential customers and business partners whose data we handle. The policy governs all personal data processed in Nigeria and, to the extent required by law, in any jurisdiction where Bitscard processes personal data of Nigerian residents or citizens.
Definitions
For clarity in our practices, the following definitions, as outlined in the NDPA and supporting regulations, are observed:
Personal Data: Any information relating to an identifiable individual, including identifiers such as name, identification number, location data, or online identifier, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Sensitive Personal Data: Data revealing racial or ethnic origin, religious beliefs, political opinions, biometric data, health information, sexual life, criminal records, or other categories as prescribed in Nigerian law.
Data Subject: The individual to whom personal data relates.
Data Controller: The entity which determines the purpose and means of processing personal data—in this case, Bitscard.
Data Processor: Any person or organization which processes personal data on behalf of Bitscard.
Processing: Any operation performed on personal data, such as collection, storage, alteration, retrieval, use, disclosure, erasure, or destruction.
Legal Framework and Regulatory Compliance
Bitscard operates within a complex and evolving legal landscape. The principal framework includes:
Nigeria Data Protection Act (NDPA) 2023
NDPA General Application and Implementation Directive (GAID) 2025
Nigeria Data Protection Regulation (NDPR) 2019 and Implementation Framework
Child Rights Act 2003
Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended 2024)
CBN Consumer Protection Regulations 2019
CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Banks 2024
AML/CFT and KYC regulations by CBN and Nigerian Financial Intelligence Unit (NFIU)
SEC Accelerated Regulatory Incubation Programme and digital asset framework
Central Bank of Nigeria Guidelines on Operations of Virtual Asset Providers
Guidelines relating to USD ACH accounts and international remittances
Key obligations and compliance duties for fintech companies in Nigeria include mandatory registration and audit filings, robust security measures, transparency, and upholding data subject rights.
Bitscard collects personal data strictly necessary to provide its services and fulfil legal, regulatory, and contractual obligations. The types of personal data collected depend on the nature of your transaction and regulatory requirements.
A. Categories of Data Collected
Identification and contact information: Name, date of birth, email, telephone numbers, address, gender, passport or national identification, photograph, and biometric data (where legally required).
Account and transactional data: Account numbers, transaction histories, ACH account details, digital wallet and card information, bank verification number (BVN), payment card details, gift card numbers, wallet balance, virtual card creation and usage.
KYC/AML-related data: Copies of government-issued IDs, utility bills or proof of address, BVN, NIN, occupation, business registration for legal entities, and politically exposed person (PEP) status.
Device and usage data: Internet Protocol (IP) address, device identifiers, browser settings, geolocation, cookies, timestamps, mobile and web application usage statistics.
Communication data: Customer care records, chat transcripts, audio (call center recordings), video (CCTV at agent locations).
Sensitive personal data: As required by regulation, including biometric verification for high-value transactions; sensitive data is collected only with explicit consent.
B. Special Categories and Children’s Data
Bitscard does not knowingly collect data from persons under 18 except with parental/legal guardian consent, as required under NDPA and Child Rights Act.
C. Automated Decision-Making and Profiling
Certain services use automated decision-making (e.g., anti-fraud and risk scoring) in compliance with Nigerian law, with the right for data subjects to request human review.
Bitscard.processes your data in accordance with the principles of fairness, lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, duty of care, and accountability as delineated by the NDPA and industry best practices.
A. Core Legal Bases for Processing
Consent: Freely given, informed, and unambiguous consent (especially for direct marketing, sensitive data, children's data, non-standard processing).
Contractual necessity: For performing your contract with Bitscard (e.g., opening accounts, processing payments, providing cards and exchanges).
Legal obligation: For compliance with regulatory requirements, including AML/CFT and consumer protection regulations.
Vital interest: For the protection of your or another’s life or welfare in exceptional situations.
Public interest or official authority: Where processing is required for a task carried out in the public interest (e.g., fraud prevention, financial crime detection).
Legitimate interests: When required for Bitscard’s or a third party’s legitimate interests, except where such interests are overridden by the data subject’s rights and freedoms. Any such processing is subject to legitimate interest assessment and balancing tests.
B. Primary Purposes for Data Processing
To verify your identity and comply with Know Your Customer (KYC), anti-money laundering (AML)/counter-terrorist financing (CFT) requirements.
To provide and maintain Bitscard’s services, including account creation, fiat and crypto transactions, ACH payments, virtual card issuance, and gift card management.
To communicate with you about account and service-related activity and respond to your queries.
For fraud detection, risk management, and cybersecurity measures.
To undertake marketing and promotional communication, where permitted and with opt-out options.
For internal audits, product development, analytics, and service improvement.
To fulfil legal, regulatory, and reporting obligations to authorities such as CBN, SEC, NDPC, EFCC, NFIU, or upon court order.
Bitscard uses cookies and similar tracking technologies to enhance user experience, maintain session security, analyse traffic, and support marketing (with your consent). Non-essential and analytical cookies require user consent per NDPA/GAID. Cookie consents are presented conspicuously with clear accept/reject options; necessary cookies are exempt.
Users can withdraw consent or adjust cookie settings at any time.
Bitscard does not sell user data. Data sharing occurs only as strictly required by law and to fulfil services. Third-party processors are bound by written contracts that ensure compliance with data protection principles.
A. Categories of Data Recipients
Regulatory and government authorities: CBN, NDPC, NDIC, SEC, EFCC, NFIU, tax authorities, law enforcement or courts in line with statutory obligations.
Payment processors and financial institutions: Banks, card schemes, ACH network operators.
Crypto and digital asset entities: Licensed virtual asset service providers according to CBN/SEC requirements.
Gift card and card-issuing partners: For processing transactions, ensuring activation/settlement, fraud prevention.
Third-party service providers: Technology vendors, cloud hosting providers, KYC/AML screening services, customer support partners.
Professional advisers and auditors: Legal, compliance, audit, accounting, and consulting partners.
Mergers, acquisitions, and restructuring: To parties involved in business transactions as permitted by law, subject to confidentiality safeguards.
B. Due Diligence, Contractual Safeguards, and Oversight
All third parties are vetted for compliance with the NDPA, NDPR, and international cross-border data transfer requirements.
Contracts specify obligations, lawful basis, security measures, rights of audit, data breach protocols, and assist with data subject rights.
Bitscard may transfer personal data outside Nigeria (e.g., for cloud storage, international payments, or card issuance) in strict accordance with NDPA and GAID 2025 requirements. Such transfers are only permitted where:
The recipient country or recipient entity offers an adequate level of data protection recognized by the NDPC.
NDPC-approved standard contractual clauses
Binding corporate rules
Recognized codes of conduct or certifications
Informed consent of the data subject
Necessary for contract performance
Legal claims or vital interests
Public interest as prescribed by law
Documentation and Accountability: Bitscard documents every cross-border transfer, the legal mechanism used, and adequacy assessments as required by law. Data subjects are provided clear information on risks where their data is transferred on the basis of consent or other derogations.
Bitscard implements industry-leading technical and organizational measures to protect personal data from unauthorized or unlawful processing, accidental loss, destruction, damage, or breaches, as mandated by the NDPA, CBN cybersecurity frameworks, and sector standards.
Multi-layered firewalls and regular vulnerability assessments
Data encryption in transit and at rest
Role-based access controls and multi-factor authentication
Physical access controls for offices and data centers
Third-party security audits and annual penetration tests
Data loss prevention and incident response plans
Staff security awareness and privacy training
Continuous monitoring and incident reporting
Compliance with PCI DSS, SOC, and other applicable standards for payment and card processing
Bitscard adheres to the CBN Risk-Based Cybersecurity Framework, conducting an annual risk assessment, maintaining updated threat/vulnerability records, performing periodic user access reviews, and reporting major cybersecurity incidents to the authorities within stipulated timelines.
Bitscard retains personal data only as long as necessary for the purpose for which it was collected, or as required by law, regulation, or contractual obligation.
NDPA limits: retention only for as long as necessary for processing purpose, after which deletion or de-identification must occur within 6 months unless retention is further lawfully justified.
NDPR/implementation guidelines: up to 3 years after last active use of a platform, and up to 6 years after last transaction pursuant to a contract, unless otherwise required for legal claims or obligations.
AML/CFT and banking regulations: minimum retention period of 5 years for KYC, account, and transaction records after the termination of a business relationship or transaction.
Breach and complaint records are held until regulatory timeframes lapse.
Data is securely destroyed, de-identified, or anonymized after expiry of retention period, unless preservation is required for dispute resolution, investigations, fraud prevention, or for compliance with retention laws.
Bitscard strictly prohibits processing the data of anyone under 18 years old unless with verifiable parental or legal guardian consent, except in stipulated exceptions (vital interest, education, legal claims). Privacy notices and user interfaces are designed to be child-friendly to facilitate understanding by both minors and their guardians.
Age verification measures, such as requiring government-approved ID during onboarding, are implemented to prevent unlawful processing of children’s data.
When processing is for valid exceptions, Bitscard ensures compliance within the context of the Child Rights Act and Nigeria’s NDPA 2023.
Failure to provide appropriate consent or satisfy age verification may result in denied access or suspension of a child’s account in accordance with regulatory requirements.
Wherever Bitscard employs automated profiling or decision-making (including risk scoring, anti-fraud checks, or KYC verifications), such processing is:
Lawful only where necessary for contract performance, mandated by law, or based on your explicit consent.
Accompanied by appropriate safeguards, including the right for data subjects to request human intervention, express their view, and contest decisions.
Bitscard is committed to the prompt detection, containment, and notification of any data breach according to regulatory requirements.
Any personal data breach likely to result in a risk to your rights and freedoms is reported to the NDPC within 72 hours of detection, with phased disclosures as more information becomes available.
Where a breach creates a high risk to personal rights or freedoms, Bitscard will promptly notify the affected data subjects, describing the nature and potential consequences, measures taken, and avenues for seeking redress.
All breach incidents and remedial actions are documented and stored for regulatory auditing and compliance.
Delay or failure to notify a qualifying breach may result in enforcement sanctions from the NDPC, alongside reputational impact and further legal obligations.
Under Nigerian law, all users of Bitscard have enforceable rights relating to their personal data, as summarized below. These rights may be exercised by contacting Bitscard, and, where appropriate, through the Data Protection Officer detailed below.
User Right
Description
Right of Access
You may request access to or a copy of your personal data held by Bitscard in a commonly used electronic format.
Right to Rectification
You may request correction or completion of inaccurate or incomplete personal data we hold about you.
Right to Erasure (“Right to be Forgotten”)
You may request deletion of your personal data (subject to legal retention requirements or overriding public interest).
Right to Restrict Processing
You can request restriction of processing of your personal data where accuracy is contested, or processing is unlawful but you oppose erasure.
Right to Object
You may object to the processing of your personal data based on legitimate interests or direct marketing at any time.
Right to Withdraw Consent
You are entitled to withdraw your consent for processing at any time (this will not affect processing based prior to withdrawal).
Right to Data Portability
You may request that your personal data be provided to you or transferred to another controller in a machine-readable format, where technically feasible.
Right Against Automated Processing
You can request not to be subject solely to automated decision-making with legal or significant effects, with the right to human review.
Right to Lodge a Complaint
You may file complaints with Bitscard’s DPO or with the Nigeria Data Protection Commission (NDPC) if dissatisfied with Bitscard’s response.
Bitscard will respond to user rights requests within one month of receipt (or as stipulated by law) and will not charge a fee unless requests are manifestly unfounded or excessive.
Consent: All marketing communications require opt-in consent, with the ability to opt-out at any time using the preferences provided or by contacting our DPO.
Direct marketing/advertising: You have the absolute right to object to direct marketing at any time, with opt-out mechanisms clearly provided as required by the NDPA and CBN Guidelines.
Third-party marketing: Bitscard will not sell your data for third-party marketing. Where marketing is sent on behalf of a partner, this will be made clear and subject to your consent.
Handling of data related to gift cards and virtual dollar cards is governed by both CBN electronic payments guidelines and data protection laws:
Sensitive payment data, such as card numbers, PINs, and CVVs, are encrypted and protected according to PCI DSS industry standards.
Redemption, purchase, and transaction details are shared only as needed to fulfil your instruction or regulatory requirements.
Specific safeguards for gift card portals and virtual card management systems are applied; known fraud vectors and attack patterns are actively monitored and mitigated.
Data minimization and transparency: Only the data required for card issuance, redemption, or support is collected; customers are provided clear explanations about required information and security tips.
Bitscard complies with CBN VASP guidelines and SEC’s digital asset rules, implementing customer due diligence, robust verification measures, and regular monitoring of virtual asset transactions.
KYC/AML obligations: Users must provide verified ID, and high-value transactions may require additional checks in compliance with anti-money laundering laws.
International transfers: Crypto and virtual asset transactions crossing borders are treated as cross-border transfers, triggering all adequacy and consent requirements.
Recording and reporting: All activities are logged and kept for the legally specified retention period, with suspicious activities reported to regulators as mandated by the AML/CFT framework.
Bitscard is bound by Nigerian AML/CFT and KYC laws, under supervision of the Central Bank, NFIU, and other authorities. We conduct:
Identity verification using national databases (NIN, BVN, passport)
Ongoing customer and transaction monitoring, including adverse media screening
Reporting of suspicious, high-volume, or unusual transactions to NFIU
Sanctions list screening against UN, EU, and Nigerian sanctions, as well as PEP checks
Training and awareness programs for staff and compliance teams
Document retention for legal minimum periods (at least 5 years for KYC/transaction records)
Bitscard, as a data controller of major importance, appoints a Data Protection Officer (DPO) with expert knowledge in Nigeria’s data privacy laws and international standards.
Advising management, staff, and users on Bitscard’s data protection obligations
Monitoring internal compliance and conducting periodic audits
Reviewing and signing off on Data Privacy Impact Assessments (DPIA) for high-risk or innovative processing
Managing requests and complaints from data subjects
Liaising with the Nigeria Data Protection Commission and reporting significant incidents
Address: 18 Admiralty way, lekki, Lagos
E-mail: [dpo@bitscard.app]
Phone: [ +234202212293581]
Website: [https://bitscard.app]
Users may contact the DPO at any time regarding their privacy rights or concerns, or to initiate an internal complaint.
Bitscard works with NDPC-licensed Data Protection Compliance Organizations for annual audits, staff training, and periodic compliance reviews, as required for Data Controllers of Major Importance under the NDPA and GAID 2025.
Bitscard may update this Privacy Policy to align with regulatory changes, product enhancements, or organizational restructuring. Users will be notified of significant changes via our platform or to their provided contact details at least 5 days before the effective date, in accordance with NDPA/GAID requirements.
If you believe your data protection rights have been violated, you have access to both internal complaint handling and escalation mechanisms with the NDPC. Bitscard maintains dispute resolution processes in accordance with the NDPA, CBN Consumer Protection Regulations, and contracts with users.
Nigeria Data Protection Commission: www.ndpc.gov.ng
Central Bank of Nigeria (for payment disputes): www.cbn.gov.ng
Complaint forms and timelines for resolutions will be communicated during the process.
Your use of Bitscard’s services signifies your agreement to the terms of this Privacy Policy. Where your explicit consent is needed for specific processing, it will be clearly requested through our platform interfaces.
You may withdraw consent at any time using your account settings or by contacting our DPO, subject to legal and contractual restrictions.
Last Updated: 19 October 2025
Summary Table: Key User Privacy Rights
Right
How to Exercise
Access
Contact the DPO or use in-app portal
Rectification
Request correction via platform or DPO
Erasure
Submit deletion request via platform or DPO
Restriction/Objection
Submit request via DPO
Portability
Request data export through platform or DPO
Human review
Request review of automated decisions via DPO
Withdraw consent
Update preferences in settings or contact DPO
Complaint
Lodge via DPO or escalate to NDPC
Frequently Asked Questions
Do you share my data with advertisers?No. Bitscard does not sell or rent customer data to third parties. Any marketing or promotional contact will be with your express, revokeable consent.
Will my crypto and transaction data leave Nigeria?Bitscard may use third-party technologies or cloud services with servers outside Nigeria. Every such cross-border transfer is done per NDPA, using adequacy mechanisms, with informed user consent where required.
How do you keep my virtual card/gift card data safe?Sensitive card and transaction data are encrypted to PCI DSS and NDPA security standards. We do not store cardholder data unnecessarily beyond legal and contractual obligations. Systems are monitored for threats, and we use industry best practices for fraud prevention.
Can I opt out of analytics and profiling?Yes. You may disable non-essential cookies, opt out of profiling for marketing, and generally object to processing not strictly required for contractual/legal reasons.
How do you handle children’s data?We never knowingly process under-18 data without verified parental consent. Age-verification is robust, and all child data processing aligns with the NDPA and Child Rights Act.
Bitscard is committed to transparency and trust. Please contact our DPO through the platform or via email if you have any privacy questions.
Enjoy seamless navigation, exclusive content, and personalized experiences right at your fingertips.