Digital Rewards. Real Connections.
PRIVACY POLICY
For Individual Users, Merchants & Business Clients
| Document | Privacy Policy |
| Version | 1.0 |
| Effective Date | 28th May 2026 |
| Governed By | Nigeria Data Protection Act, 2023 |
| Issued By | Quivy |
TABLE OF CONTENTS
- Introduction & Who We Are
- Who This Policy Applies To
- What Personal Data We Collect
- How We Collect Your Data
- Why We Use Your Data & Legal Bases
- Third-Party Sharing
- Data Retention & Account Deletion
- Data Security
- Your Rights Under the NDPA 2023
- Cookies & Tracking
- Children's Privacy
- Changes to This Policy
- Contact & Complaints
1. Introduction & Who We Are
Quivy ("Quivy", "we", "us", or "our") is a digital rewards platform incorporated under the laws of the Federal Republic of Nigeria (RC Number: RC9065513), with its registered office at 1 Alhaji Akinsanya Estate, Ibeshe. Ikorodu. Quivy enables individuals, merchants, and business clients to create, distribute, and redeem digital rewards, including gift vouchers and airtimes, through our Platform.
We are committed to protecting the personal data of every person who interacts with our Platform. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights available to you under the Nigeria Data Protection Act, 2023 (NDPA 2023) and any regulations issued thereunder by the Nigeria Data Protection Commission (NDPC).
By accessing or using the Quivy Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, you should discontinue your use of the Platform immediately.
2. Who This Policy Applies To
This Privacy Policy applies to all persons who interact with the Quivy Platform in any capacity, including:
- Individual Users — natural persons who use the Platform to send or receive digital rewards for personal purposes;
- Merchants — businesses and service providers who list, issue, or fulfil digital rewards through the Platform;
- Business Clients — corporate entities and organisations that use the Platform to procure and distribute digital rewards for commercial, promotional, or employee engagement purposes;
- Recipients — persons who receive a digital reward through the Platform, whether or not they hold a Quivy account;
- Website visitors — any person who visits Quivy's website or accesses any digital interface operated by Quivy.
Where different provisions of this Policy apply to different categories of users, this shall be clearly indicated.
3. What Personal Data We Collect
3.1 Individual Users
When you register and use the Platform as an Individual User, we collect the following personal data:
- Identity data: full name;
- Contact data: email address and mobile telephone number;
- Payment data: payment instrument details used to fund your wallet or purchase digital rewards (processed through our third-party payment processor; we do not store full card details);
- Transaction data: history of digital rewards purchased, sent, received, and redeemed;
- Technical data: IP address, device type, browser type, operating system, and login activity;
- Usage data: how you interact with and navigate the Platform.
3.2 Merchants
When you register as a Merchant on the Platform, we collect the following data:
- Business identity data: registered business name;
- Contact data: business email address and telephone number;
- Branding data: business logo (for display on the Platform and co-branded campaigns);
- Location data: business physical address;
- Financial data: bank account details provided for the purpose of settlement of redeemed digital rewards.
3.3 Business Clients
When you register as a Business Client, we collect the following data:
- Business identity data: registered business name;
- Contact data: business email address and telephone number;
- Branding data: business logo (for display in campaigns and co-branded digital rewards);
- Location data: business physical address;
- Financial data: bank account or virtual account details for the purpose of wallet funding and settlement;
- Campaign data: Recipient lists (comprising the name, email address, and/or mobile telephone number of intended Recipients) uploaded by the Business Client for the purpose of distributing digital rewards.
Regarding Recipient lists: Business Clients who upload Recipient data to the Platform warrant that they have collected such data lawfully and obtained all necessary consents for Quivy to process it for the purposes of campaign delivery. Quivy processes Recipient data solely for the purpose of distributing digital rewards on behalf of the Business Client.
3.4 Recipients (Non-Account Holders)
Where a digital reward is sent to a person who does not hold a Quivy account, we collect only the minimum data necessary to deliver the reward, specifically:
- Full name;
- Email address; and/or
- Mobile telephone number.
This data is collected from the sender (Individual User or Business Client) and is used solely to deliver the digital reward to the intended Recipient. It is not used for any marketing or profiling purpose.
4. How We Collect Your Data
We collect personal data through the following means:
Directly from you
- when you create or update your Quivy account;
- when you complete any transaction on the Platform (purchasing, sending, or redeeming a digital reward);
- when you contact us for support or make an inquiry;
- when you upload a Recipient list as a Business Client.
Automatically
- through cookies and similar tracking technologies when you access our website or application (see Section 10);
- through our servers, which automatically record technical data such as your IP address, access times, and browser information when you use the Platform.
From third parties
- from payment processors, who provide us with transaction confirmation and status updates in connection with payments made through the Platform.
5. Why We Use Your Data & Legal Bases
We process your personal data only where we have a lawful basis to do so under the NDPA 2023. The table below sets out the purposes for which we use your data and the corresponding legal basis in each case.
| To create and manage your Quivy account | Performance of a contract |
| To process transactions and distribute digital rewards | Performance of a contract |
| To operate and maintain your virtual account (for all users) | Performance of a contract |
| To verify your identity and comply with KYB requirements (Business Clients & Merchants) | Legal obligation |
| To detect, prevent, and investigate fraud, money laundering, and other unlawful activity | Legal obligation / Legitimate interest |
| To process settlements and payouts to Merchants and Business Clients | Performance of a contract |
| To communicate with you about your account, transactions, and Platform updates | Performance of a contract / Legitimate interest |
| To improve and develop the Platform through analysis of usage data | Legitimate interest |
| To comply with applicable Nigerian laws, regulatory obligations, and lawful orders from competent authorities | Legal obligation |
| To send you marketing communications about Quivy products and features (where you have opted in) | Consent |
Where we rely on consent as our lawful basis, you may withdraw your consent at any time by contacting us using the details set out in Section 13. Withdrawal of consent shall not affect the lawfulness of any processing carried out prior to such withdrawal.
6. Third-Party Sharing
We do not sell, rent, or trade your personal data to any third party. We share your personal data only in the limited circumstances described below.
6.1 Payment Processors
We share the personal and financial data necessary to process payments with our licensed third-party payment processors. These processors are engaged solely for the purpose of facilitating transactions on the Platform and are contractually prohibited from using your data for any other purpose. All payment processors engaged by Quivy are required to maintain appropriate security standards.
6.2 Regulatory & Law Enforcement Authorities
We may disclose your personal data to competent regulatory, law enforcement, or governmental authorities where we are required to do so by applicable Nigerian law or by a valid court order or regulatory directive, including but not limited to disclosures required by the Central Bank of Nigeria (CBN), the Economic and Financial Crimes Commission (EFCC), the Nigerian Financial Intelligence Unit (NFIU), and the Nigeria Data Protection Commission (NDPC).
6.3 Corporate Transactions
In the event of a merger, acquisition, restructuring, or sale of all or part of Quivy's business, your personal data may be transferred to the relevant successor entity, subject to that entity's commitment to maintain the same standard of data protection as set out in this Policy. You will be notified of any such transfer in advance where reasonably practicable.
6.4 Campaign Participation Data
Where you participate in a giveaway or promotional campaign hosted by a Business Client through the Quivy Platform, certain personal data collected in connection with your participation — including your name, email address, and/or mobile telephone number — may be shared with the Business Client who hosted such campaign. This sharing is necessary for the Business Client to fulfil the purposes of the campaign, including winner verification, reward delivery, and campaign reporting. By participating in any campaign on the Platform, you acknowledge and consent to this sharing. Quivy shall ensure that Business Clients who receive such data are bound by obligations of confidentiality and data protection consistent with the requirements of the NDPA 2023.
6.5 No Further Sharing
We do not share your personal data with advertisers, data brokers, or any other third party not described in this Section 6. Any future engagement of additional third-party processors will be reflected in an updated version of this Privacy Policy.
7. Data Retention & Account Deletion
7.1 Retention During Active Use
We retain your personal data for as long as your Quivy account remains active and for such additional period as may be necessary to fulfil the purposes set out in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.
7.2 Account Deletion
You may request the deletion of your Quivy account at any time through the Platform or by contacting us using the details in Section 13. Upon deletion of your account, Quivy will remove your active profile data — including your name, contact details, login credentials, and preferences — from the live Platform.
7.3 Retention of Historical Records After Deletion
Notwithstanding Section 7.2, the following categories of data shall be retained in Quivy's systems indefinitely following account deletion, regardless of the request:
- transaction records and financial histories;
- campaign records and reward/gifts distribution logs;
- audit trails and system activity logs;
- any data relevant to a pending, ongoing, or reasonably foreseeable legal, regulatory, or law enforcement matter.
Why we retain this data indefinitely: As a financial services platform operating under the oversight of Nigerian regulatory authorities — including the CBN, EFCC, and NFIU — Quivy is required to maintain full and accurate records of all financial transactions and platform activity. These records may be required at any time in connection with a regulatory audit, law enforcement investigation, anti-money laundering review, or legal proceeding. Indefinite retention ensures that Quivy can fully cooperate with any competent authority without data loss. Retained data shall not be used for marketing, profiling, or any commercial purpose.
8. Data Security
Quivy implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include, but are not limited to:
- encryption of data in transit and at rest;
- access controls and authentication requirements to limit access to personal data to authorised personnel only;
- regular security assessments and monitoring of our systems;
- contractual obligations on all third-party processors to maintain equivalent security standards.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Quivy shall notify the NDPC within seventy-two (72) hours of becoming aware of the breach, and shall notify affected users without undue delay where the breach is likely to result in a high risk to their rights, in accordance with the NDPA 2023.
9. Your Rights Under the NDPA 2023
Under the Nigeria Data Protection Act, 2023, you have the following rights in respect of your personal data held by Quivy:
- Right of access: You may request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification: You may request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure: You may request the deletion of your personal data in certain circumstances (subject to our retention obligations under Section 7.3).
- Right to object: You may object to our processing of your personal data where we rely on legitimate interest as our lawful basis.
- Right to withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to data portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format.
- Right to lodge a complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe we have processed your data unlawfully.
To exercise any of the rights above, please contact us using the details set out in Section 13. We will respond to all valid requests within thirty (30) days of receipt, in accordance with the NDPA 2023.
Please note that certain rights are subject to limitations. For example, the right to erasure will not apply where retention of data is required for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims (see Section 7.3).
10. Cookies & Tracking
Quivy uses cookies and similar tracking technologies on its website and application to enhance your experience, analyse Platform usage, and support the security and functionality of our services.
10.1 Types of Cookies We Use
- Strictly necessary: Essential for the Platform to function. Cannot be disabled.
- Functional: Remember your preferences and settings to personalise your experience.
- Analytical: Help us understand how users interact with the Platform so we can improve it (e.g., pages visited, time spent).
10.2 Managing Cookies
You can manage or disable non-essential cookies through your browser settings at any time. Please note that disabling certain cookies may affect the functionality of the Platform. We do not use cookies for targeted advertising or share cookie data with third-party advertisers.
11. Children's Privacy
The Quivy Platform is not intended for use by persons under the age of eighteen (18) years. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a person under the age of eighteen (18), we will take immediate steps to delete such data from our systems.
If you believe that a minor has provided personal data to Quivy without appropriate parental consent, please contact us immediately using the details in Section 13.
12. Changes to This Policy
Quivy reserves the right to update or amend this Privacy Policy from time to time to reflect changes in our data practices, the Platform, or applicable law. Where changes are material, we will notify you through the Platform, by email, or by such other means as we consider appropriate, at least fourteen (14) days before the changes take effect.
The date of the most recent update will always be indicated at the top of this document. Your continued use of the Platform following the effective date of any updated Policy shall constitute your acceptance of the changes.
13. Contact & Complaints
If you have any questions about this Privacy Policy, wish to exercise any of your rights under the NDPA 2023, or wish to raise a concern about how we handle your personal data, please contact us using the details below:
| Entity | Quivy Technologies Limited |
| Registered Office | 1 Alhaji Akinsanya Estate, Ibeshe. Ikorodu |
| Data Contact Email | support@quivy.io |
| Telephone | 0814 822 2534 |
| Website | www.quivy.com |
If you are not satisfied with our response, you have the right to lodge a complaint directly with the Nigeria Data Protection Commission (NDPC) at:
| Website | www.ndpc.gov.ng |
| Address | No. 5 Adeyemo Alakija Street, Victoria Island, Lagos / Plot 2 Olu Obasanjo Road, Port Harcourt, Rivers State |
| info@ndpc.gov.ng |
By using the Quivy Platform, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your personal data as described herein.
