Privacy Policy

This policy applies to customers, prospective customers, agents, beneficiaries, website visitors and users of the Bompai mobile app, USSD channel (*977#), POS terminals, cards and any other Bompai digital service.

Depending on the products you use, we may collect:

• Identity data: full name, date of birth, gender, BVN, NIN, photograph, signature, government ID.
• Contact data: residential address, phone number, email, next-of-kin details.
• Financial data: account number, transaction history, salary, employer, source of funds, credit history.
• Device & usage data: IP address, device ID, app version, location (when granted), session logs.
• Biometric data: fingerprint or facial template (only for device-level authentication; never uploaded to our servers in raw form).

• Contract: to open accounts, process transactions and deliver services you requested.
• Legal obligation: CBN, NDIC, NFIU, FIRS and NDPA requirements (KYC, AML/CFT, tax, reporting).
• Legitimate interest: fraud prevention, service security, product improvement, recovery of debts.
• Consent: marketing communications, optional analytics and certain location features — you can withdraw at any time.

• Verify your identity and onboard you in line with CBN KYC rules.
• Operate your account, process deposits, withdrawals, transfers and card transactions.
• Assess loan applications and manage credit risk (including credit bureau checks).
• Detect and prevent fraud, money laundering, terrorism financing and sanctions breaches.
• Respond to your enquiries and complaints; train our staff using anonymised samples.
• Send service messages, statements and — with your consent — marketing offers.

We never sell your personal data. We share it only with:

• Regulators and law-enforcement: CBN, NDIC, NFIU, EFCC, FIRS, courts and security agencies upon lawful request.
• Credit bureaux (CRC, CreditRegistry, FirstCentral) for credit assessment and reporting.
• Payment infrastructure: NIBSS, Interswitch, Unified Payments, AfriGO, Verve, Visa and Mastercard.
• Vetted service providers (cloud hosting, card production, SMS, KYC verification) under strict data-processing agreements.
• Auditors, lawyers and professional advisers under confidentiality obligations.

Some of our processors host data outside Nigeria. Where this happens we ensure the destination provides an adequate level of protection, or we put in place standard contractual clauses approved by the Nigeria Data Protection Commission (NDPC).

We keep account and transaction records for a minimum of 10 years after the account is closed, in line with CBN and AML/CFT rules. Other data is retained only for as long as needed for the purpose collected, then deleted or anonymised.

• End-to-end TLS 1.2+ encryption on all channels; AES-256 for data at rest.
• PCI-DSS controls on card systems; tokenisation of card numbers.
• Multi-factor authentication, role-based access and full audit logging.
• Continuous fraud monitoring, sanctions screening and threat intelligence.
• Annual independent penetration tests and ISO 27001-aligned controls.

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or outdated information.
• Erasure — request deletion where there is no overriding legal basis.
• Restriction & objection — pause or object to certain processing.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — for any processing based on consent, at any time.
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC).

Our Data Protection Officer can be reached at dpo@bompaimfb.com or by post to: The DPO, Bompai Microfinance Bank Limited, Bompai Road, Nassarawa LGA, Kano State, Nigeria. We respond to all valid requests within 30 days.

We may update this policy from time to time. The latest version will always be published on this page with a revised "Last updated" date. Material changes will be notified via email, SMS or in-app message.