PRIVACY POLICY

SMARTLOANS INTEGRATED SERVICES LIMITED

Last Updated: August 26, 2025

This Privacy Policy is formulated and issued by SMARTLOANS INTEGRATED SERVICES LIMITED (hereinafter referred to as “SMARTLOANS”, “we”, “us”, or “our”), a company duly incorporated and existing under the laws of the Federal Republic of Nigeria. The user is hereinafter referred to as “you”, “borrower”, or “data subject”.

We fully recognize the importance of privacy and data protection and are committed to ensuring that your personal information is processed in a lawful, fair, and transparent manner. This Privacy Policy specifies the legal basis upon which we process your personal data in accordance with the Nigeria Data Protection Act (2023), the Nigeria Data Protection Regulation (2019), the Federal Competition and Consumer Protection Act (2021), and other applicable data protection regulations, including but not limited to relevant guidelines issued by the Nigeria Data Protection Commission (NDPC), as well as, where applicable, international best practices. This Policy primarily covers matters related to the collection, processing, storage, and protection of personal data involved through the use of our application. This Policy applies to all users of the application, including applicants, borrowers, and other individuals whose personal data may be collected or processed in the course of providing our services.

By accessing, downloading, registering, or using our application Lendsafe Care APP, you indicate that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree to any terms of this Privacy Policy, please immediately cease using the application.

This Privacy Policy will help you understand the following:

1. What data do we collect?
2. How do we process, provide, and disclose your information?
3. How do we collect and store your information?
4. How long do we retain your data?
5. How can you exercise your rights?
6. How do we protect your data?
7. How to contact us?

1. What Data Do We Collect?

a. The data we collect may include the following.
b. Basic identity information: including your name, gender, identification photo, liveness detection, user ID, detailed address, telephone number, and other relevant personal details provided by you.
c. Device activity and location information: including your device’s network status, Bluetooth approximate location information, advertising ID, calendar, etc.
d. Behavioral data: user behavior data on the Lendsafe Care APP, such as page inputs, visits, and clicks.
e. Device data: including your device’s unique identifier, battery status information, and other device-specific identification data.
f. Financial data: sensitive financial content such as your bank account information and transaction history.
g. Contact information: including the name and phone number of your emergency contact.
h. Application technical data: including device ID, application usage activity, application performance data, device failure logs, system diagnostic information, and other identifying information.
i. Other data: information obtained from third parties related to this agreement, such as credit reports obtained from credit bureaus.

2. How Do We Process, Provide, and Disclose Your Information?

We collect your information/data primarily for the following purposes:

a. To provide the loan services you require, perform the contract between you and us, and process and manage your requests, answer your questions, or respond to your requirements.
b. To prevent, detect, and manage fraud and illegal activities, and verify your identity,we will use internal and third-party screening tools for document identification and liveness verification to prevent unauthorized disclosure of your personal information and protect account security.
c. To provide our services to you, we will share relevant user information with contractual partners for credit assessment, loan approval, and risk control. To complete payment services provided to you (such as disbursements), we will share your name, bank card number, and other information with our business cooperation third parties for payment operations.
d. To optimize the lending services provided to you, improve service quality, control risks, and safeguard your account security, after obtaining your authorization, we will share some of your personal information with third-party partners such as Advance, Facebook, and AppsFlyer, including your name, email address, user ID, mobile number, financial status, approximate location information, in-app activity records, application performance, device model, battery level, etc. This shared data will be used for identity verification, authenticity confirmation, credit review, loan approval and disbursement, payment settlement, and post-loan management to assess your credit situation.
e. Based on the information you provide and information obtained through your device, etc., we will use risk control models to comprehensively assess your credit and repayment ability, thereby completing the loan approval process. Simultaneously, we will conduct credit scoring and update our consumer credit data to keep records current.
f. To contact you via the contact details you provide, such as telephone or email, for example, to push updates or informational communications about the mobile application. To send you marketing content and service updates curated by us, but if you do not wish to receive our messages, we provide you with the option to unsubscribe.
g. To perform data analysis, identify usage trends, determine the effectiveness of promotional campaigns, and evaluate and improve our services, products, marketing, and your experience.
h. To comply with legal and regulatory requirements, we will share personal information, transaction information, and other data as required by government or regulatory agencies. To recover loans extended to you and resolve potential disputes, including cooperating with law enforcement or regulatory investigations.
i. To achieve any other purposes disclosed to you in the course of providing services to you.

3. How Do We Collect and Store Your Information?

We primarily obtain information through manual entry and upload of personal information by users on the Lendsafe Care APP, or by obtaining and collecting information through user-authorized device permissions.

a. We only collect and upload user information and data when the user’s mobile application is running or open. When the user is not running the Lendsafe Care APP, we do not collect or upload any information or data. We strictly adhere to legal requirements and securely upload all data via encryption to the https://api.lendsafecare.ng/lena/lenaData server.
b. We will collect device hardware/software information (such as model, operating system version) and unique identifiers for device authentication and fraud prevention.
c. With your explicit consent, we will use your device’s network camera to capture your photo ID through facial recognition technology to verify the authenticity of your identity as a borrower. This measure aims to prevent fraud and unauthorized access and protect your account security.
d. To safeguard the data security of your device and prevent data leakage due to data transmission between Bluetooth devices, we will obtain Bluetooth permissions to detect connected Bluetooth devices.
e. We need to determine whether your current network environment is Wi-Fi or mobile data and whether the network is available to provide you with a smoother user experience. To ensure a good network experience while using the application, we will assess network stability based on Wi-Fi signal strength. If the network is unstable, we will decide whether to switch to other network modes to ensure the quality of data transmission.
f. To monitor transaction security risks, assist in identifying abnormal transaction activities, improve service quality, and safeguard account security, we will only obtain your approximate location information after obtaining your authorization.
g. To facilitate sending repayment reminders before the due date, we need to obtain read and write permissions for the calendar. We will strictly adhere to only reading information related to loan schedules, solely for confirming your repayment schedule.
h. Certain features of our product require internet access to function properly (such as obtaining online data and synchronizing information). To protect your network data security and prevent your data from being leaked or tampered with during transmission, we will strictly comply with relevant laws and regulations.
i. We will access your text messages, but only use financial text messages to assess users' risk profiles for credit evaluation purposes, which includes determining users' eligibility for using products and services as well as verifying users' identities.
j. We obtain the device advertising ID primarily to optimize ad delivery. We will combine the device advertising ID with user behavior habits to accurately analyze the actual effectiveness of ad delivery.
k. We will only share your personal information with trusted authorized third parties when necessary to meet your service needs, such as identity verification, credit scoring, and loan disbursement. Without your consent, we will not disclose any personal information to unrelated third parties or use it for purposes beyond the scope of this Privacy Policy.
l. If the data subject withdraws consent or objects to the processing of their information, and there is no other legal basis or overriding legitimate interest; or if the personal data involves private information adverse to the data subject, unless authorized by freedom of speech, expression, or press, etc., to justify it; or if the processing is unlawful, or the personal information controller or processor has infringed upon the rights of the data subject, we will cease processing your personal information.

4. How Long Do We Retain Your Data?

4.1 In accordance with Nigerian law, we will retain your personal data only for the period necessary to fulfill the purposes outlined in this Privacy Policy, as required by law. Specifically: (Note: “Closed” refers to the final settlement of the loan or termination of the user account): ➢ Personal identification information: retained for 6 years after account closure to support fraud investigations and comply with regulatory requirements;; ➢ Financial and transaction data: retained until the 6th year after transaction completion for audit, financial reporting, and compliance with tax obligations;; ➢ KYC documents: retained for 6 years after account closure to comply with Anti-Money Laundering (AML) laws and Central Bank regulations;; ➢ Device and Usage Data: retained for 2 years from collection or last use to ensure platform security, analyze and improve services;; ➢ Inactive accounts: scheduled for deletion 2 years after the last login, unless retained for compliance or legal purposes;; ➢ Loan agreements: retained for 6 years after loan repayment/closure to support dispute resolution and ensure legal enforceability of contracts.
4.2 Data Deletion and Disposal: Data deletion: When the retention period expires, we will take security measures to delete or implement irreversible anonymization, unless otherwise required by law.; Deletion tools: For digital data, we use certified secure deletion tools; for physical documents, we shred and destroy them through secure channels.; Third-party providers: Third-party service providers and vendors processing personal data are required to follow similar deletion procedures and provide confirmation of disposal when necessary.
4.3 Exceptions to the Retention Schedule: Under the following specific circumstances, we may extend the standard retention period for data:; User consent: when you explicitly consent to an extended data retention period;; Legal requirements: when applicable laws or regulatory directives require data retention;; Legal disputes or investigations: when the data is involved in legal disputes, regulatory investigations, or ongoing litigation.

5. How Can You Exercise Your Rights?

In accordance with the Nigeria Data Protection Act (2023), as a user of our application, i.e., the data subject, you have the following rights regarding your personal data:

5.1 Right to be Informed: You have the right to know how we collect and use your personal data. Before collecting, processing, sharing, or storing your personal information, we will provide you with clear and understandable notice and ensure that you give consent with full knowledge.
5.2 Right of Access: The data subject has the right to access their personal data. Upon request, the data subject may obtain the following information:; The content and nature of the data processed;; The source of the data;; The method of data processing;; The names and addresses of data recipients;; Information about any automated decision-making processes that significantly affect the data subject;; The purpose of data sharing (if applicable);; The date of the most recent data access or modification;; The name and contact information of the data controller (Lendsafe Care APP).
5.3 Right to Object: The data subject has the right to object to the processing of their personal data, especially in the following circumstances:; Automated decision-making;; Direct marketing;; Analytics.; The data subject may refuse or withdraw consent, particularly when the basis or purpose of processing is inconsistent with what was initially disclosed.; Exceptions:; The Lendsafe Care APP may process personal data without explicit consent in the following instances:; When processing is necessary for the performance of a contract to which the data subject is a party;; When required by law or subpoena;; When processing is based on an employer-employee relationship and is necessary or expected;; When permitted or required by applicable legal obligations.
5.4 Right to Deletion or Restriction: In any of the following circumstances, the data subject may request that we block, delete, or destroy their personal data from our system:; The data is untrue, outdated, incomplete, or unlawfully obtained;; The data contains sensitive private information that may cause harm or adverse effects, unless processed for public interest, freedom of speech, or other legitimate reasons;; The data subject withdraws consent or objects to processing, and there is no overriding legal basis;; The data is used for purposes not authorized by the data subject;; The data is no longer used for the original collection purpose;; The data processing method infringes upon the rights and freedoms of the data subject.

6. How Do We Protect Your Data?

6.1 We are committed to protecting your personal data through comprehensive and layered security measures in accordance with the following laws, regulations, and guidelines:: Nigeria Data Protection Act (2023); Current guidelines and recommendations issued by the Nigeria Data Protection Commission (NDPC); Nigeria Data Protection Regulation (NDPR, 2019)
6.2 Our security measures cover the following aspects:: Technical safeguards: employing end-to-end encryption, secure data transmission protocols, and device-level protection; Physical security: restricting access to data centers and offices; Procedural safeguards: implementing internal data access management and incident response plans; Administrative safeguards: conducting regular employee training, enhancing privacy awareness, and implementing access controls; All collected personal data is stored in encrypted form on our secure servers,These systems are continuously monitored to detect and mitigate risks such as unauthorized access, disclosure, misuse, or tampering.
6.3 Data Security: We are committed to safeguarding your personal data through administrative, technical, and physical protective measures that comply with industry standards. Specific security measures are as follows:; Security audits: We regularly conduct internal and third-party assessments to identify and mitigate potential security vulnerabilities.; Risk monitoring: Through continuous risk assessment, we can promptly identify threats and strengthen data protection measures.; Data encryption: Your personal data is protected by encryption technology during transmission and storage (at rest).; Access control and multi-factor authentication: Data access by users and employees is protected by multi-layer verification mechanisms to ensure that only authorized personnel can access sensitive information.; To address the evolving threat landscape, we continuously update our security infrastructure to ensure your information receives the most prudent and comprehensive protection.
6.4 Processing of User-Submitted Data Requests: ➢ To submit a data access request, the user must send a written email to the Data Protection Officer (DPO) email,clearly specifying the type or scope of data requested. To ensure the legitimacy and security of the request, the user must provide a valid government-issued ID, such as a national ID card, passport, etc., for identity verification. If submitting a request on behalf of another person, corresponding legal documents or a signed power of attorney must be provided. During the request processing, we reserve the right to require the user to provide additional information to confirm identity or legal authority to prevent unauthorized disclosure.; ➢ Upon receiving a valid request, we will send an acknowledgment within 72 hours; we will provide a substantive response within 30 calendar days; if the situation is complex, the timeline may be extended by 15 days, but we will notify the applicant in advance and state the reasons. In most cases, DSAR (Data Subject Access Request) should be processed free of charge; if the application is manifestly unfounded, excessive, or repetitive, we reserve the right to charge a reasonable administrative fee or refuse the request with written reasons.; ➢ We have the right to lawfully refuse the application in whole or in part if disclosing the information may infringe upon the privacy rights of others; or if the request is deemed abusive, lacking reasonable basis, or posing a threat to business security; or if the requested data falls under legal exemptions (e.g., involving anti-fraud, law enforcement, or attorney-client privilege, etc.); or if the relevant data has been deleted according to the established retention schedule. In these cases, the data subject will receive a written explanation detailing the specific reasons for refusal or partial disclosure.

7. How to Contact Us?

If you have any questions about this Policy, or related complaints or suggestions, you may contact us through the following methods:

To delete an account or for other inquiries, please email:customerservice@lendsafecare.ng

You may also directly contact our customer service department. The email address of our Data Protection Officer (DPO) is: smartloansdpo@proton.me

To adapt to changes in national laws and regulations, regulatory policies, and to meet operational requirements, we may periodically revise this Policy. If significant changes are involved, we will notify users through our application interface or email, with the specific notification method determined based on actual circumstances.