Introduction

ONAFRIQ GROUP, which consists of ONAFRIQ UK Holdings Limited and all its subsidiaries ("Onafriq", "we," our") is committed to protecting the privacy and security of the Personal Data we collect about end customers and users of our Services and Sites.

This privacy policy describes how we collect, use and share information about you. As a subsidiary of Onafriq Group, each Onafriq Contracting Affiliate shall process Personal Data in accordance with this privacy policy.

This policy covers:

Personal information we process to operate and administer the Onafriq Services.
Personal Information we process to maintain our partner and supplier network.
Information we collect when you interact with our websites, and platforms, including www.onafriq.com, https://www.beyonic.com/, https://gtpprepaid.com/, https://www.capricorndigi.net/, http://www.baxibox.com/ , https://baxipay.co/, https://home.onafriq.com/ (the "Sites").

We may change this privacy policy from time to time. If we make changes, we will make that clear by revising the date at the top of this policy, and in some cases, we may provide you with additional notice such as adding a statement to the homepages of our Sites. We encourage you to review the Privacy Policy whenever you interact with us to stay informed about our information practices and the ways you can help protect your privacy.

Please read this privacy policy carefully as it provides important information about how we handle your personal information and your rights. If you have any questions about any aspect of this privacy policy you can contact us using the information provided below or by emailing us at dataprotection@onafriq.com.

Definitions and legal references

Personal Data

Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

Data Subject

The person to whom the Personal Data refers.

This Website (or this Application)

The means by which the Personal Data of the User is collected and processed.

Service(s)

The service(s) provided by Onafriq as described in the General Terms and Conditions and Service Schedule.

European Union (or EU)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Personal Data we process

Transactional data including payees' and recipients' names and mobile numbers, contact information, government identification data, financial data, professional life data, authentication data, connection data, localization data, bank and card account details and the amount processed.
Information collected for the purposes of ID verification, Anti Money Laundering, Know your Customer and Politically Exposed Person checks.
The names and contact details of contacts at our partner organisations and suppliers.
Names, contact details, job titles of prospective new business contacts which we gather from publicly available sources such as LinkedIn or Twitter.
Information we collect when a Data Subject messages us through our Sites or social media pages, or otherwise communicate with us via letter or email.
Information about your use of our Sites, including the type of browser you use, access times, pages viewed, your IP address and the page you visited before navigating to our Sites. For more information, please see the relevant Site's privacy policy.
Information Collected by Cookies and Other Tracking Technologies: We may use cookies, web beacons (also known as "tracking pixels") and other tracking technologies to collect information about you when you interact with our Sites or emails, including information about your browsing behaviour on our Sites. For more information, please see the relevant Site's cookie policy.

Purposes for which we process Personal Data

To facilitate transactions via the Onafriq platforms. On occasion we may also need to access transactional data in the course of system maintenance or troubleshooting system problems.
For the purposes of reconciliations (comparing our financial records with those of our partners to check they are in agreement).
To perform statistical analysis of customer transactional activity, such as daily spending trends.
To comply with the laws of relevant jurisdictions and carry out due diligence on partner organisations (e.g. verifying the identity of directors and shareholders, know-your-client verifications and anti-money laundering checks).
To source potential new partners for our network.
To enable our existing partners to connect to the Onafriq platforms.
To request feedback from our external partners and improve the Services we deliver to them.
Processing supplier invoices.
To respond to written enquires, comments or requests submitted by our partners, suppliers or Service users and provide customer service.
To improve our Sites and your experience, see which areas and features of our sites are popular, count visits, understand campaign effectiveness and determine whether an email has been opened and links within the email have been clicked.
To manage your online account and send you technical notices, updates, security alerts and support and administrative messages.

Our legal basis for processing your data

We will only process Personal Data where one of the lawful bases and/or applicable data protection laws. The lawful bases we rely on are as follows:

Consent – we have obtained the Data Subjects consent for the processing;
Contractual requirement – the processing is necessary in order to enter or perform a contract with the Data Subject;
Compliance with a legal obligation – we have a legal obligation to perform the processing; or
Legitimate interests – we have a legitimate interest in processing the Personal Data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected Data Subjects.

In any case where Personal Data is processed because it is necessary for the performance of a contract to which a Data Subject is a party, we will be unable to provide our Services without the required information.

Sharing a Data Subject's Personal Data

We may share personal information about a Data Subject:

with other partners in our network where this is necessary to process a payment you have made via our platforms. These partners may include mobile network operators, money transfer organisations, banking institutions and merchants.
with other partners in our network where this is necessary for the purposes of reconciliations and identity verification.
with consultants and other service providers who need access to Personal Data to carry out work on our behalf.
where necessary to carry out due diligence on our partners, such as Know Your Client, Anti Money Laundering and Politically Exposed Person checks.
when we are required to liaise with judicial or regulatory authorities by applicable law or disclosure is necessary to comply with any applicable law, regulation or legal process.
where we have commissioned a third party to carry out a financial audit of Onafriq
in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business to another company.

International Transfers

Personal Data may be transferred to destinations outside a Data Subject's country of residence/ nationality if this is necessary to process transactions, provide you with other Services or fulfil our obligations under applicable law, regulation or legal process.

We will only transfer Personal Data outside a Data Subject's country of residence/ nationality in accordance with the applicable data protection laws and where applicable, where the destination country has benefited from a European Commission adequacy decision and where we have put in place EU approved Standard Contractual Clauses which contractually oblige the recipient to process and protect Personal Data to the standard expected within the United Kingdom or EU/EEA.

How long we keep a Data Subject's data

We will retain the information we collect about a Data Subject for as long as required for the purposes set out above, including the purposes of satisfying any legal, accounting or reporting requirements.

Therefore:

Personal Data collected for purposes related to the performance of a contract between the you and us shall be retained until such contract has been terminated.
Personal Data collected for the purposes of our legitimate interests shall be retained as long as needed to fulfil such purposes. You may find specific information regarding the legitimate interests pursued by us within the relevant sections of this document or by contacting us.

We may be allowed to retain Personal Data for a longer period whenever you have given consent to such processing, as long as such consent is not withdrawn. Furthermore, we may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.

The below retention schedule indicates the recommended minimum retention period for Personal Data and records containing Personal Data in countries of the Onafriq Contracting Affiliates:

Country	Retention practice according to data protection legislation	Retention practice according to payment services legislation
United Kingdom	Personal Data to be retained for as long as it is needed and there is lawful basis for keeping it.	At least 5 years from date when a transaction took place
Mauritius	There is no general data retention law in Mauritius	At least seven years after the completion of the transactions to which it relates.
Ghana	Personal Data to be retained where: a) retention is required or authorised by law; b) retention of the record is reasonably necessary for a lawful purpose related to a function or activity; c) retention is required by virtue of a contract between the parties to the contract; or d) the Data subject consents to the retention of the record.	6 years from the date the record was created
Tanzania	N/A	Minimum of 10 years from the date: a) when all activities relating to a transaction or a series of linked transactions were completed; b) when the business relationship was formally ended; or c) where the business relationship was not formally ended but when the last transaction was carried out.
Nigeria	Personal Data to be retained where: a) it is necessary in relation to the purposes for which it was collected or processed; b) Data Subject does not withdraw consent on which the processing is based; c) Data Subject does not object to the processing and there are legitimate grounds for the processing;	At least 5 years after the completion of the transaction
Uganda	Personal Data shall be retained where: a) the retention is required or authorised by law; b) the retention is necessary for a lawful purpose related to function/ activity for which the data is collected or processed; c) the retention is required by a contract between parties; d) the Data Subject consents to the retention of the data.	Minimum of 10 years
DRC	N/A	10 years after accounts are closed or relationships are terminated
Kenya	Personal Data should be retained: a) as long as is reasonably necessary to satisfy the purpose for its processing; b) as required or authorised by law; c) as consented to by the Data Subject; or d) for historical, statistical, journalistic, literature, art, or research purposes. Under the Kenya Information and Communications Act.	Minimum of 7 years.
Rwanda	Personal Data will be retained for no longer than is necessary for the purposes for which it was received unless otherwise extending the retention period is required or permitted by law	Minimum of 10 years from the date the record was obtained or produced
USA	Personal Data will be retained for no longer than is necessary for the purposes for which it was received	No mandatory retention requirements
Malawi	Personal Data must be kept for no longer than necessary for the purposes for which it was collected.	Minimum of 7 years from when the evidence of a person's identity was obtained (b) any transaction or correspondence; (c) when the account is closed or business relationship ceases, whichever is later.
Hong Kong	Personal Data is not kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data is or is to be used.
South Africa	Personal Data is to be retained where: a) retention is required or authorised by law; b) the responsible party reasonably requires the record for lawful purposes related to its functions or activities; c) retention is required by a contract between the parties thereto; d) the Data Subject has consented to the retention of the record. Records of personal information may be retained for periods in excess of those contemplated above for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.	Minimum of 5 years.
Cote D'Ivoire	Personal Data must be kept for a period not exceeding the period necessary for the purposes for which they were collected or processed. Beyond this required period, the data may be retained only for the purpose of responding specifically to processing for historical, statistical, or research purposes under legal provisions (Article 16 of the Law).

At the end of the retention period, Personal Data will either be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.

Data Subject rights and options

Data Subjects have the following rights in respect of their Personal Data:

the right of access to their Personal Data and request copies of it and information about our processing of it.
the right to ask us to rectify or add to the Personal Data we hold where it is incorrect or incomplete.
the right to withdraw their consent at any time where we are using a Data Subject's Personal Data with their consent.
the right to object to us using their Personal Data where we are using their Personal Data because it is in our legitimate interests to do so.
the right to object to us using their Personal Data where we are using a Data Subject's Personal Data for direct marketing, including profiling for direct marketing purposes.
the right to ask us to restrict the use of their Personal Data if:
- It is not accurate.
- It has been used unlawfully but you do not want us to delete it.
- We do not need it any-more, but you want us to keep it for use in legal claims; or
- if a Data Subject has already asked us to stop using their Personal Data but you are waiting to receive confirmation from us as to whether we can comply with the request.
In some circumstances the Data Subject can request us to erase their personal data and request a machine-readable copy of their Personal Data to transfer to another Service provider.
Data Subjects have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning them or similarly significantly affects them.

Data Subjects will not have to pay a fee to access their Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If a Data Subject wishes to exercise their rights, please contact us at dataprotection@onafriq.com, Data Subjects can also lodge a complaint with the following data protection authorities applicable to their country of residence:

Country	Data Protection Authority
United Kingdom	Information Commissioner's Office: https://ico.org.uk/concerns/
Mauritius	Data Protection Commissioner: dpo@govmu.org
Ghana	Data Protection Commission : info@dataprotection.org.gh
Tanzania	Bank of Tanzania: https://www.bot.go.ts/Home/ContactUs
Nigeria	Nigeria Data Protection Bureau: https://ndpb.gov.ng/Home/about
Uganda	Personal Data Protection Office: https://www.pdpo.go.us/file-complaint
DRC	Autorite De Regulation De La Poste Et Des Telecommunications du Congo: https://arptc.gouv.cd/arptc-contact/, secretariat@arptc.gouv.cd
Kenya	Office of Data Protection Commissioner: https://www.odpc.go.ke/file-a-complaint/
Malawi	Data Protection Authority not appointed
Hong Kong	Office of the Privacy Commissioner for Personal Data: https://www.pcpd.org.hk/english/complaints/introduction/introduction.html
South Africa	Information Regulator: https://inforegulator.org.za/complaints/
Cote D'Ivoire	The Telecommunications/ICT Regulatory Authority of Côte d'Ivoire https://www.autoritedeprotection.cj/espace-plaintes/
Rwanda	The Data Protection Office: https://dpo.gov.rw/contact-us/
USA	Central Data Protection Authority not appointed

Changes to this Privacy Policy

We may update this Privacy Policy (and any supplemental privacy policy), from time to time for legal or regulatory reasons. Any changes will be notified through suitable announcement on the Onafriq website or via e-mail where required by applicable law to do so.

ONAFRIQ Privacy Policy