Privacy Policy
Version 2 · Effective 14 June 2026
This Privacy Policy explains how Kuvarpay Limited (“Kuvarpay”, “KuvarSend”, “we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use the KuvarSend app and related services. It is the companion to the KuvarSend Terms of Service.
1. About this Policy and who we are
1.1. KuvarSend is a product within the KuvarPay ecosystem, operated by Kuvarpay Limited. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the KuvarSend app and related services (the “Services”), and the rights you have over your data.
1.2. KuvarSend is a technology and distribution platform. The regulated remittance, payment, currency-conversion, settlement, and virtual-asset services accessed through KuvarSend are provided and executed by our licensed Payment Partners (currently Yellow Card and Startbutton), and identity verification is carried out with our verification partner (currently Smile Identity). This means that, to provide the Services, your personal data is necessarily shared with these partners, who process certain data as independent controllers under their own privacy policies for the regulated services they perform. See Section 6.
1.3. This Policy forms part of, and should be read with, the KuvarSend Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.
1.4. Who is the controller. For the data we process to operate KuvarSend (account, onboarding, app analytics, support), the controller is Kuvarpay Limited. For the regulated services, the relevant Payment Partner is a controller (or joint controller) for the data it processes to deliver that service.
2. Scope
2.1. This Policy applies to Users and prospective Users of KuvarSend in the Supported Countries (Nigeria, Ghana, Kenya, South Africa, Rwanda, and Uganda). It does not apply to third-party services we link to or to the Payment Partners’ own processing, which are governed by their own policies.
3. The personal data we collect
3.1. Information you give us at registration: your name, country of residence, email address and/or phone number, a username/tag, and the device identifier that pairs you with the app.
3.2. Identity-verification (KYC) information: to meet our and our Payment Partners’ legal obligations, we collect, depending on your country and verification tier:
- full legal name, date and place of birth, gender, nationality;
- residential address and, where required, proof of address;
- a government-issued identity number — for example NIN and/or BVN for Nigerian Users, and the national equivalent for other countries;
- occupation and source of funds;
- a tax identifier, where required; and
- at the enhanced tier, a photograph of a government-issued ID and a selfie, used for biometric matching to confirm you are the document holder.
3.3. Transaction information: amounts, currencies, exchange rates and fees, funding source, Recipient details (such as bank account or mobile-money number, wallet address, and any memo), Digital Asset deposit and withdrawal details, narratives you supply, payment requests, and Transaction status and history.
3.4. Device, technical, and usage information: device model and operating system, app version, language, IP address, push-notification token, approximate location derived from your device or network, security signals (such as whether a device appears jailbroken/rooted), authentication events, and log and diagnostic data.
3.5. Communications and support data: messages you send us, support tickets, and your contact and marketing preferences.
3.6. Information from third parties: verification results, sanctions/PEP/adverse-media screening results, and fraud signals from our verification partner, Payment Partners, identity authorities, and screening providers.
3.7. Special-category / sensitive data. Your selfie and the biometric template derived from it are sensitive personal data. We process them only to verify your identity and prevent fraud, as required by law, and on the lawful basis described below (and with your explicit consent where the applicable law requires it).
4. How we use your data and our lawful bases
We use your personal data for the purposes and on the lawful bases below. Where a Supported Country’s law uses different terminology, the equivalent local basis applies.
| Purpose | Lawful basis |
|---|---|
| Create and administer your Account; provide the app and the Services | Performance of our contract with you |
| Verify your identity (KYC) and re-verify you over time | Legal obligation (AML/CFT Laws) |
| Screen you and your Transactions against sanctions, PEP, and adverse-media lists; monitor for suspicious activity; make regulatory reports | Legal obligation; and our and the public’s legitimate interest in preventing financial crime |
| Execute your Transactions, including sharing the minimum necessary data with the Payment Partner that performs them | Performance of our contract with you; and, where required, your consent for specific partner sharing |
| Detect, prevent, and investigate fraud, abuse, and security incidents | Legitimate interests; legal obligation |
| Provide customer support and handle complaints | Performance of our contract; legitimate interests |
| Comply with court orders, regulator and law-enforcement requests, and tax and record-keeping laws | Legal obligation |
| Improve, secure, and maintain the Services (diagnostics, analytics) | Legitimate interests |
| Send you service and transactional messages | Performance of our contract; legal obligation |
| Send you marketing | Consent (which you can withdraw at any time) |
4.1. Where we rely on legitimate interests, we have balanced them against your rights and will provide details on request. Where we rely on consent (e.g. specific partner data-sharing or marketing), you may withdraw it at any time without affecting the lawfulness of prior processing or the Services that rest on another basis.
5. Identity verification and screening
5.1. To verify you, we share the identity information in Section 3.2 with our verification partner (currently Smile Identity), which checks it against records held by the relevant national identity authority and performs biometric matching of your selfie to your ID.
5.2. We (and/or our Payment Partners and screening providers) screen you and your Transactions against sanctions, politically-exposed-persons, and adverse-media lists, before and during your use of the Services. We do this because we are required to by the AML/CFT Laws. Where the law prohibits us from telling you that a Transaction or Account has been delayed, declined, or reported, we will not be able to give you a reason.
6. Who we share your data with
We share personal data only as needed for the purposes above. We do not sell your personal data, and we do not share it with third parties for their own marketing.
6.1. Payment Partners (Yellow Card and Startbutton). Because the regulated services are provided by our Payment Partners, executing your Transactions requires sharing the minimum necessary identity and Transaction data with the relevant Partner. They process that data as independent controllers under their own privacy policies and licences for the regulated services they perform. Where the applicable law or our arrangement requires your specific consent for this sharing, we capture it in the app, and you can manage or withdraw it (withdrawing a consent needed to provide a Service may mean we can no longer provide it).
6.2. Verification partner. Our identity-verification partner (currently Smile Identity) processes your identity and biometric data to perform the checks in Section 5.
6.3. Banks, mobile-money operators, and blockchain networks. Recipient and Transaction details necessary to complete a payout or transfer are shared with the receiving institution or network. On-chain transactions are, by their nature, recorded on a public blockchain.
6.4. Service providers (processors). Cloud hosting, push-notification, communications, analytics, and security providers that process data on our behalf and under our instructions, subject to contractual data-protection terms.
6.5. Authorities. Regulators, law-enforcement, tax authorities, and courts, where we are legally required or permitted to disclose.
6.6. Our group and advisers. Other entities in the KuvarPay ecosystem, and our professional advisers (legal, audit, compliance), where necessary and subject to confidentiality.
6.7. Business transfers. A buyer or successor in connection with a merger, acquisition, financing, or reorganization, subject to this Policy.
7. International data transfers
7.1. Your data may be processed outside your country of residence — for example by our Payment Partners, verification partner, or cloud providers. Where we transfer personal data across borders, we do so only where a lawful transfer mechanism applies and we put appropriate safeguards in place as required by the applicable data-protection law (for example, adequacy decisions, standard contractual clauses, or the contractual-necessity and consent grounds available under the NDPA, POPIA, the Kenya Data Protection Act, and the other laws of the Supported Countries).
8. Data residency and storage
8.1. We store data in encrypted form. Where a Supported Country’s law requires data to be hosted locally, we host the relevant data accordingly. Sensitive identifiers (such as NIN/BVN) are encrypted with a dedicated key.
9. How we protect your data
9.1. We use technical and organizational measures appropriate to the risk, including encryption of data in transit and at rest, dedicated encryption for sensitive identifiers, access controls and least-privilege, PIN and biometric authentication, device-integrity checks, monitoring, and staff confidentiality obligations.
9.2. Your part. No system is perfectly secure. You must keep your credentials, PIN, biometric access, and device secure, and tell us immediately if you suspect compromise (see the Terms). We are not responsible for loss caused by your failure to keep your credentials or device secure.
10. How long we keep your data
10.1. We keep your personal data for as long as you have an Account and afterwards for the periods required by the AML/CFT Laws and other laws applicable to you — typically several years (commonly 5–10) from your last Transaction or the closure of your Account, depending on your country.
10.2. After the applicable retention period, we delete or irreversibly anonymize the underlying records, and we may keep a minimal audit-log entry recording that we held and destroyed them.
11. Your rights
11.1. Subject to the conditions and exceptions in the data-protection law applicable to you, you have the right to:
- access the personal data we hold about you and obtain a copy;
- request rectification of inaccurate or incomplete data;
- request erasure of your data — subject to our overriding legal retention obligations (Section 10), which generally prevent deletion of KYC/AML records during the statutory period;
- restrict or object to certain processing;
- request portability of data you provided, where applicable;
- withdraw consent where we rely on it (e.g. partner data-sharing or marketing); and
- lodge a complaint with your data-protection authority (Section 14).
11.2. To exercise a right, contact us at privacy@kuvarpay.com. We will respond within the time required by the applicable law. We may need to verify your identity first, and some requests may be limited by law (for example, where fulfilling them would breach our AML/CFT obligations or reveal a suspicious-activity report).
Deleting your account and data. You can permanently close your KuvarSend account at any time from Settings → Delete account inside the app, which signs you out and closes your account. You may also request account and data deletion by emailing privacy@kuvarpay.com. For legal and anti-money-laundering reasons we retain certain transaction and identity records for the statutory period described in Section 10, after which they are deleted or irreversibly anonymized. Accounts that still hold a balance must be emptied before deletion.
12. Children
12.1. The Services are only for people aged 18 or over (or the age of majority in your country, if higher). We do not knowingly collect data from children. If we learn we have, we will delete it.
13. Marketing and communications
13.1. We send service and transactional messages necessary to provide the Services and meet legal obligations; you cannot opt out of these while you hold an Account.
13.2. We send marketing only with your consent, which you can withdraw at any time in the app or via the unsubscribe mechanism, without affecting the Services.
14. Country-specific information and your regulator
14.1. The data-protection law and supervisory authority that apply to you depend on your country of residence. You may lodge a complaint with the relevant authority:
- Nigeria — Nigeria Data Protection Act (NDPA); Nigeria Data Protection Commission (NDPC).
- Ghana — Data Protection Act, 2012; Data Protection Commission.
- Kenya — Data Protection Act, 2019; Office of the Data Protection Commissioner (ODPC).
- South Africa — POPIA; Information Regulator.
- Rwanda — Law relating to the protection of personal data and privacy; National Cyber Security Authority.
- Uganda — Data Protection and Privacy Act, 2019; Personal Data Protection Office.
15. Changes to this Policy
15.1. We may update this Policy. When we make a material change, we will notify you and may require you to review and accept the updated Policy before continuing to use the Services, in line with the re-acceptance mechanism in the Terms.
16. Contact us
- Privacy / Data Protection: privacy@kuvarpay.com
- Support: support@kuvarpay.com
- Legal entity: Kuvarpay Limited, registered in Nigeria
- Registered office: Lagos, Nigeria