Privacy Policy

ReassureQI is a financial identity and compliance infrastructure platform operated by SafeNest Digital Limited ("SafeNest Digital", "we", "us", or "our"). We are committed to protecting the privacy and security of all personal data we process in connection with our products and services. This Privacy Policy explains how we collect, use, store, share, and safeguard personal data when you: • Visit our website at reassureqi.io • Use our API products and compliance platform • Submit inquiries or contact us directly • Interact with us as a business partner, client institution, or data subject This Policy is governed by the Nigeria Data Protection Act 2023 (NDPA) and the regulations issued by the Nigeria Data Protection Commission (NDPC). By using our services, you acknowledge that you have read and understood this Policy.

The data controller responsible for your personal data is: SafeNest Digital Limited Data Protection Officer: contact@reassureqi.com For all data subject requests, complaints, or privacy enquiries, please contact our Data Protection Officer at contact@reassureqi.com with the subject line "Privacy Enquiry".

We collect and process the following categories of personal data, depending on how you interact with us: 3.1 Identity & Verification Data • Full legal name, date of birth, gender • National Identification Number (NIN) • Bank Verification Number (BVN) • International passport number, driver's licence number • Biometric data (facial images, liveness detection captures) 3.2 Contact & Account Data • Email address, phone number, business address • Job title and organisation name • Account login credentials (hashed) 3.3 Financial Reference Data • Credit bureau reports and scores • Transaction reference data submitted for AML screening • KYC tier status and verification history 3.4 Technical & Device Data • IP address, device fingerprint, browser type and version • Operating system, session identifiers • API request logs, verification timestamps 3.5 Communications Data • Enquiries and messages submitted via our contact form • Email correspondence with our team • Support tickets and related communications We do not collect or process special categories of personal data (e.g., health data, racial or ethnic origin, political opinions, religious beliefs) unless strictly required by law and with your explicit consent.

Under the NDPA 2023, we process personal data on the following legal bases: 4.1 Performance of a Contract (NDPA Section 25(1)(b)) Processing necessary to deliver identity verification, AML screening, fraud detection, and compliance services requested by our client institutions and their end-users. 4.2 Legal Obligation (NDPA Section 25(1)(c)) Processing required to comply with applicable laws and regulations, including: • CBN KYC Guidelines and AML/CFT Regulations • NFIU (Nigerian Financial Intelligence Unit) reporting requirements • NDPA 2023 compliance obligations • Court orders and lawful directives from regulatory authorities 4.3 Legitimate Interests (NDPA Section 25(1)(f)) Processing necessary for our legitimate interests in: • Preventing fraud, money laundering, and financial crime • Maintaining the security and integrity of our platform • Improving our products and services • Communicating with clients and prospective clients 4.4 Consent (NDPA Section 25(1)(a)) Where we rely on consent (e.g., marketing communications), you may withdraw consent at any time by contacting contact@reassureqi.com.

We use personal data for the following purposes: • Identity Verification: Verifying NIN, BVN, and biometric data to confirm the identity of individuals during customer onboarding at financial institutions. • AML Transaction Monitoring: Analysing transaction data to detect patterns consistent with money laundering, terrorist financing, or other financial crimes. • Fraud Detection: Cross-referencing identity and behavioural signals across our network to identify synthetic identities, account takeover attempts, and fraud rings. • Compliance Automation: Generating SAR/CTR reports, maintaining immutable audit trails, and supporting CBN regulatory examinations. • Credit Risk Assessment: Enriching identity profiles with credit bureau data to support risk-based customer screening. • Platform Security: Monitoring API usage for abuse, detecting anomalous access patterns, and enforcing access controls. • Product Development: Using aggregated, anonymised data to improve the accuracy and performance of our AI models. • Communication: Responding to enquiries, providing technical support, and sending service-related notifications. • Legal Compliance: Fulfilling our obligations under Nigerian law, including responding to lawful requests from regulatory authorities.

We do not sell your personal data. We share data only in the following circumstances: 6.1 Authorised Sub-processors We engage the following sub-processors to deliver our services. All sub-processors are bound by Data Processing Agreements and are required to maintain NDPA-equivalent data protection standards: • Amazon Web Services (AWS) — Cloud infrastructure and data storage (af-south-1 region) • NIMC (National Identity Management Commission) — NIN verification • NIBSS (Nigeria Inter-Bank Settlement System) — BVN verification • Credit Registry Corporation (CRC) — Credit bureau queries • FirstCentral Credit Bureau — Credit bureau queries • XDS Data / CreditChek — Alternative credit data • Datadog — Application performance monitoring (pseudonymised data only, no PII) 6.2 Client Institutions We share verification results and compliance data with the financial institution that initiated a verification request on behalf of their customer. 6.3 Regulatory Authorities We disclose personal data to the CBN, NFIU, NDPC, law enforcement, or other government authorities where required by law or valid legal process. 6.4 Corporate Transactions In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent data protection obligations.

ReassureQI is committed to Nigeria-first data residency. All Nigerian customer PII — including NIN, BVN, biometric data, and financial reference data — is processed and stored exclusively within Nigeria, using AWS infrastructure in the af-south-1 (Cape Town) region, which is the nearest AWS region aligned with Nigerian data sovereignty requirements. We do not transfer raw Nigerian PII outside of Nigeria. Where we query international sanctions lists (OFAC, UN, EU), we transmit a pseudonymised reference token — not raw PII. Matching is performed locally using list snapshots refreshed every 6 hours. Any pseudonymised data sent to third-party monitoring services (e.g., Datadog) is covered by appropriate contractual safeguards including Standard Contractual Clauses where applicable.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to applicable legal retention obligations: • KYC verification records: 5 years from last customer activity (CBN/NFIU requirement) • AML transaction monitoring records: 5 years from transaction date • Credit bureau query logs: 3 years • Immutable audit logs: 7 years • Biometric captures (selfies, liveness video): Deleted within 90 days unless your organisation's approved retention policy requires longer • Contact form enquiries: 2 years from last interaction • API access logs: 12 months After the applicable retention period expires, data is securely deleted or anonymised using industry-standard methods.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction: • Encryption at rest: AES-256 encryption for all stored data • Encryption in transit: TLS 1.3 for all data in transmission • Key management: AWS Key Management Service (KMS) with hardware security modules (HSMs) in af-south-1; keys rotated annually • Access controls: Role-based access control (RBAC), least-privilege principles, and multi-factor authentication for all staff accessing production systems • API security: API keys stored as SHA-256 hashes; keys cannot be recovered after issuance • Penetration testing: Quarterly third-party penetration testing by a CREST-accredited security firm • Incident response: 72-hour breach notification SLA to the NDPC and affected parties as required by NDPA Section 40 • Staff training: Mandatory data protection training for all employees handling personal data

Under the Nigeria Data Protection Act 2023 (Sections 28–35), you have the following rights regarding your personal data: 10.1 Right of Access You have the right to request a copy of the personal data we hold about you and information about how it is processed. 10.2 Right to Rectification You have the right to request correction of inaccurate or incomplete personal data without undue delay. 10.3 Right to Erasure You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, subject to legal retention obligations. 10.4 Right to Restrict Processing You have the right to request that we restrict processing of your data in certain circumstances (e.g., while accuracy is disputed). 10.5 Right to Data Portability You have the right to receive your personal data in a structured, commonly used, machine-readable format. 10.6 Right to Object You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds. 10.7 Right to Withdraw Consent Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. 10.8 Right to Lodge a Complaint You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe your data protection rights have been violated. To exercise any of these rights, email contact@reassureqi.com with the subject line "NDPA Data Subject Request". Include your full name and the organisation through which you interacted with ReassureQI. We will respond within 30 calendar days.

Our website uses cookies and similar tracking technologies to enhance your experience: • Essential cookies: Required for the website to function (session management, security tokens). These cannot be disabled. • Analytics cookies: We use anonymised analytics to understand how visitors use our site and improve content. No personally identifiable information is collected. • Preference cookies: Used to remember your settings and preferences across visits. You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect your ability to use the website.

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data relating to a child, please contact us immediately at contact@reassureqi.com and we will delete such data promptly.

We may update this Privacy Policy periodically to reflect changes in our practices, legal obligations, or regulatory requirements. We will notify you of material changes by posting the updated Policy on our website with a revised "Last Updated" date. For significant changes, we will provide additional notice (e.g., email notification to registered users). Your continued use of our services after the effective date of any changes constitutes acceptance of the updated Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact: Data Protection Officer SafeNest Digital Limited Email: contact@reassureqi.com Subject line: "Privacy Policy Enquiry" We aim to respond to all enquiries within 5 business days and to data subject requests within 30 calendar days.