Privacy Policy

1. Introduction

Dojah Technologies Limited (“Dojah,” “we,” “our,” or “us”) is committed to protecting the confidentiality, integrity, and availability of personal data. We operate the Vouch App (“Vouch” or the “App”), a digital identity application that allows you to securely store, verify, and share your personal identity information with trusted third parties.

We understand the sensitivity of personal and biometric data, especially in the Nigerian context where identity theft and fraud are major risks. This Privacy Policy therefore explains in clear terms:

• The categories of personal data we collect and process.
• The purposes and legal bases for processing.
• The third parties with whom we may share your data.
• The rights available to you under the Nigeria Data Protection Act, 2023 (NDPA).
• The safeguards we use to protect your data.

By downloading, registering, or using the Vouch App, you acknowledge that you have read and understood this Privacy Policy and agree to the practices it describes.

2. Definitions

For the purposes of this Privacy Policy:

• “App” or “Vouch” means the Vouch mobile application operated by Dojah Technologies Limited.
• “Personal Data” means any information that relates to an identified or identifiable individual, including but not limited to your name, phone number, government-issued ID, or biometric data.
• “Processing” means any operation performed on Personal Data, including collection, recording, storage, sharing, and deletion.
• “Controller” means Dojah Technologies Limited, which determines the purposes and means of processing your data.
• “Processor” means a third party engaged by Dojah to process data on its behalf.
• “Third Parties” means service providers, regulated institutions, or other entities with which your data may be lawfully shared through the App.
• “You” or “User” means any individual who registers for or uses the Vouch App.

3. Scope & Applicability

This Privacy Policy applies to all personal data processed through the Vouch App, regardless of the device or platform you use. It applies to:

• Personal data you provide directly to us during registration, verification, or while using the App.
• Personal data collected automatically when you interact with the App, such as device information or usage logs.
• Personal data we receive from third-party verification providers, regulated institutions, or government databases.
• Vendors, merchants, and businesses that onboard, verify, or maintain profiles under the Vouch for Vendors module.

This Policy does not apply to:

• Third-party services accessed through the App (e.g., banks or fintech platforms). Such services are governed by their own privacy policies.
• Aggregated or anonymised data that cannot reasonably be linked back to you.

We encourage you to review this Privacy Policy regularly, as it forms part of our contract with you as a user of the Vouch App.

4. Personal Data We Collect

The Vouch App collects and processes different categories of personal data depending on how you interact with the App:

• Basic Identifiers – e.g., full name, phone number, username, email, and contact details.
• Authentication Data – PINs, passwords, and device biometrics (e.g., fingerprint, face ID).
• Government-issued Identifiers – NIN, BVN, driver’s licence, passport, voter card.
• Biometric Data – selfies, liveness detection images, and facial recognition templates.
• Device and Usage Data – device type, OS, IP address, QR scans, and in-app usage logs.
• Third-Party Verification Data – pass/fail responses or reports from verification partners.
• Vendor & Business Data (Vouch for Vendors)
  • Business name and description
  • Business category
  • Business address or operating location
  • Government-issued identification of vendor owners or representatives
  • Business registration documents (CAC, TIN, SMEDAN, where applicable)
  • Social media handles linked to the business
  • Verification status, trust badge tier, and trust score
  • Customer reports and dispute records
  • Metadata such as timestamps, verification logs, and device information

We do not collect more data than necessary, and all data collection is guided by the principles of lawfulness, fairness, transparency, and minimisation.

4a. Biometric and Facial Data Processing

During the identity verification process, the Vouch app requests access to the device camera to capture facial images (selfies) for the purpose of confirming the identity of the user.

The facial data collected may include:

• Selfie images captured by the user
• Facial recognition templates generated during the verification process

Purpose of Face Data Collection

Facial data is collected and used solely for identity verification and fraud prevention, including:

• Performing liveness detection to confirm that a real person is present
• Matching the user's selfie with the photograph on their identity document
• Detecting spoofing attempts or AI-generated facial images

Facial data is not used for marketing, advertising, analytics, or user profiling purposes.

Storage of Face Data

The Vouch app does not maintain a permanent database of facial biometric data on its servers. Facial captures used during the verification process remain stored locally on the user's device, and biometric data is processed only for the purpose of completing the verification session.

Retention of Face Data

Facial data is retained only for the duration necessary to complete the identity verification process. Once the verification process is completed, Vouch does not retain facial biometric data beyond what is necessary for the verification session.

5. How We Use Your Personal Data

We process your personal data for lawful and proportionate purposes, including:

• Account Creation & Management – registering and managing your profile.
• Identity Verification & Fraud Prevention – validating your identity and preventing fraud.
• Data Sharing with Third Parties – allowing you to share your identity data with authorised institutions.
• Regulatory Compliance – fulfilling obligations under AML/CFT and related laws.
• Security & Integrity – monitoring for suspicious behaviour and preventing unauthorised access.
• Service Improvement – troubleshooting issues and developing new features.
• Customer Support – responding to inquiries and resolving complaints.

We will not use your personal data for advertising or marketing without your explicit consent.

6. Legal Basis for Processing

We process personal data under the following legal grounds:

• Consent – e.g., when you authorise sharing of data with a bank or fintech.
• Contractual Necessity – e.g., to store PINs and enable authentication.
• Legal Obligations – e.g., to comply with AML/CFT regulations.
• Legitimate Interests – e.g., fraud detection, service improvement, security monitoring.

Biometric processing is based on explicit consent and/or legal obligations, as applicable. Users can withdraw consent, subject to service limitations.

Where multiple bases apply, we rely on the most appropriate basis for the context.

7. Automated Decision-Making & Profiling

The App uses automated tools to provide pass/fail identity verification outcomes. While this enhances speed and reduces error:

• Users may request human review of outcomes.
• Users may contest results believed to be inaccurate.
• Explanations of decision logic will be provided on request.

We do not use profiling for decisions with legal or similarly significant effects without your knowledge and consent.

8. Sharing of Personal Data

We share personal data only when lawful, necessary, and proportionate:

• Verification Providers – such as FaceAPI, DeepFace, under Data Processing Agreements.
• Regulated Institutions – banks, fintechs, telecoms, when you consent to share.
• Authorities – NDPC or law enforcement, when legally required.

These providers process personal data solely for identity verification purposes and are required to comply with strict security, confidentiality, and data protection obligations under applicable data processing agreements.

We never sell or rent personal data for marketing.

9. International Data Transfers

Some providers may be located outside Nigeria. We ensure compliance by using:

• Standard Contractual Clauses (SCCs).
• Transfer Impact Assessments (TIAs).
• Binding contractual agreements.

Transfers are conducted with safeguards to protect your rights.

10. Data Retention

We retain data only for as long as necessary:

• Account information – retained for the lifetime of your account.
• Verification logs – retained for legally required periods.
• Closed accounts – deleted or anonymised unless retention is mandated by law.
• Vendor Data – business and verification data is retained only for as long as the vendor maintains an account or as required for fraud prevention, dispute resolution, or legal compliance. Unnecessary documents are deleted promptly after verification.

Retention schedules are periodically reviewed for compliance with minimisation and limitation principles.

11. Security Measures

We safeguard your data through:

• Encryption in transit and at rest.
• Multi-factor authentication (PIN, OTP, liveness).
• Role-based access controls.
• Security audits, vulnerability scans, penetration testing.
• Incident response procedures, with timely notifications of breaches.
• Staff training on privacy and security obligations.

These measures are designed to minimise risks and demonstrate accountability.

12. Children’s Privacy

The App is not intended for users under 18. We do not knowingly collect children’s data.

• If such data is discovered, it will be deleted immediately.
• Parents/guardians may contact compliance@dojah.io to request deletion.

Restricting access to adults reduces risks of misuse of sensitive data.

13. Your Rights

You have the following rights under NDPA:

• Access – confirmation and a copy of your data.
• Rectification – correct or update inaccuracies.
• Erasure – request deletion where no lawful basis exists.
• Restrict Processing – request suspension in certain cases.
• Withdraw Consent – at any time.
• Portability – receive data in portable format.
• Object – to certain types of processing.
• Automated Decision Rights – request review or contest outcomes.

These rights apply to individual users and vendors, where applicable.

To exercise rights, email compliance@dojah.io. We will respond within statutory timelines.

14. Tracking Technologies & Analytics

We use mobile-based tracking technologies to ensure security and performance:

• Device Identifiers – e.g., Android ID, Apple IDFA.
• In-App Analytics – e.g., Firebase for crashes, fraud monitoring.
• Secure Storage – storing session tokens, login state, verification history.
• Push Notification Tokens – for account or feature alerts.
• Fraud Monitoring – analysing device attributes and logs.

Some tracking is essential for security. Users may manage identifiers via device settings.

15. Vouch for Vendors

Vouch for Vendors is a business-facing module of the Vouch App designed to help vendors, merchants, and businesses establish trust and credibility by verifying their identity and business information.

15.1 Categories of Vendors

Vendors using this module may include:

• Informal sellers (e.g., social media merchants on Instagram, WhatsApp, TikTok, Facebook);
• Small and medium-sized enterprises (SMEs);
• Registered businesses and enterprises.

15.2 Vendor Data Processing

For vendors, we process personal and business-related data for the purposes of:

• Verifying the identity of the vendor and, where applicable, its owners or representatives;
• Validating business registration details;
• Assigning and maintaining a verified vendor badge or trust score;
• Enabling vendors to appear in a customer-facing directory;
• Preventing fraud, impersonation, and abuse;
• Handling customer reports and vendor disputes.

15.3 Public vs Private Vendor Information

We distinguish clearly between information that may be publicly visible and information that remains private.

Public Information may include: Business name; business category; verified vendor badge or trust tier; trust score; business profile photo or logo; social media handles; customer ratings or reviews (where applicable).

Private Information includes: Government-issued ID numbers and documents; CAC, TIN, or SMEDAN documents containing personal details; vendor contact details (phone number and email); verification results and internal risk assessments; device information, IP logs, and dispute history. Private information is never made public, even with consent.

15.4 Lawful Basis for Vendor Processing

Vendor data is processed on the following legal bases:

• Contractual Necessity – to provide vendor verification and listing services;
• Legitimate Interest – for fraud prevention, trust scoring, and dispute resolution;
• Consent – for displaying vendor profiles and business information publicly.

Vendors must explicitly opt in before being listed in the public directory.

15.5 Vendor Rights

Vendors have the right to:

• Access and correct their business information;
• Delete or update uploaded documents via the vendor dashboard;
• Withdraw consent for public listing;
• Request deletion of their account, subject to lawful retention requirements.

Upon account deletion, vendor profiles are unpublished, and unnecessary personal data is removed in accordance with our retention policy.

15.6 Reports, Complaints, and Disputes

Customers may report vendors for fraud, impersonation, or misconduct.

Vendors may submit disputes or complaints through the App, supported by evidence.

All reports are reviewed through a structured investigation workflow, and outcomes may include: Removal of public content; badge suspension or revocation; escalation to Trust & Safety or Legal teams in severe cases.

16. Complaints & Supervisory Authority

If you believe your rights have been violated, contact compliance@dojah.io.

If not satisfied, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC): Email: dpo@ndpc.gov.ng

17. Third-Party Links and Services

The App may contain links to third-party services. We are not responsible for their privacy practices. Please review their policies before engaging with them.

18. Business Transfers

If Dojah undergoes a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. Protections in this Policy will continue to apply.

19. Updates to this Privacy Policy

We may update this Policy from time to time. Updates will be communicated via the App or email. Continued use after updates indicates acceptance.

20. Governing Law

This Privacy Policy is governed by the laws of the Federal Republic of Nigeria, including the NDPA.

21. Contact Us

For questions or concerns, contact us at: compliance@dojah.io