Privacy Policy

Last updated: June 19, 2026

Our Privacy Principles

We're committed to protecting your privacy and data

Data Encryption

All data is encrypted in transit and at rest using industry-standard encryption protocols.

Transparency

We're transparent about what data we collect and how we use it.

User Control

You can access, correct, export, or request deletion of your personal data where the law allows, subject to retention rules for payments and compliance.

Data Minimization

We only collect the data necessary to provide our services.

1. Introduction

Staff Pay ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our payroll, wallet, bill payment, and payment automation platform, including the website and, when available, native mobile apps that connect to the same account.

Who we serve. Staff Pay serves businesses, households, and individuals. Automate recurring bank payments with the same schedules and Quick Transfers. Payroll and employer-related payments are central to the product; other lawful uses of the same features are described in our Terms of Service.

By using Staff Pay, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information

We collect information that you provide directly to us, including:

  • Name, email address, phone number, and contact information
  • Business information, company records, and registration details you add (for example CAC-related fields where collected)
  • Bank account numbers, account names, and payment method references (wallet funding, withdrawals, and saved payout destinations)
  • Tokenized card or Direct Debit mandate references from Paystack, not your full card PAN in our application database
  • Beneficiary information (names, salaries, bank details, invite status)
  • Transaction history, ledger entries, payout and gift batches, and bill payment records
  • Saved bill profiles and schedule metadata (for example meter or smart card numbers, phone numbers for airtime or data, decoder or customer IDs, amounts, and nicknames you assign)
  • Optional two-factor authentication (2FA) secrets or backup codes handled through our auth stack
  • Support ticket subjects and message threads, product suggestions, and attachments you upload to those flows
  • Referral program data: referral codes we assign to you, referral links you share, codes or links used when you sign up, and records of referral rewards credited to your wallet (currently up to three qualifying referred deposits per invitee)

2.2 Identity Verification (KYC) and Compliance

To comply with Nigerian law, the Central Bank of Nigeria (CBN) regulations, and anti-money laundering (AML) and counter-terrorism financing (CFT) requirements, we may collect and verify:

  • Government-issued identification (e.g., National ID, voter card, international passport)
  • Bank Verification Number (BVN) or other identity verification data where required
  • National Identification Number (NIN) or other alternate documents when the flow requests them
  • International passport details when you use the non-Nigeria verification path
  • Business registration documents, CAC certificates, and beneficial ownership information
  • Proof of address and source of funds documentation
  • Biometric or liveness session metadata from our identity partners when those steps are enabled

KYC and compliance data is collected for legal obligation, fraud prevention, and security. We may share this information with regulators, law enforcement, or our licensed payment partners as required by law.

2.3 Automatically Collected Information

When you use our services, we automatically collect:

  • Device information (IP address, browser type, operating system, and when you use our mobile apps, device identifiers the OS exposes to the app)
  • Usage data (pages or screens visited, features used, time spent)
  • Cookies and similar tracking technologies (web); app-specific storage or SDKs as disclosed when those apps ship
  • Referral attribution stored locally (for example a short-lived referral code cookie on web or app storage when you open a signup link with ?ref=)
  • Error and performance telemetry (for example crash reports) sent to our observability vendors with limited device and session context

2.4 Bill payments and schedules

When you validate or pay a bill, we send the minimum identifiers and amounts required to integrated bill networks or aggregators (for example Flutterwave, eBills, or other providers we enable) so they can quote, debit their float, or post value to utilities and telcos. We log responses, references, and status for reconciliation, support, and fraud monitoring. Scheduled bill runs reuse the saved profile data you already provided. Catalog availability can change without notice when upstream networks adjust products.

2.5 Support, suggestions, and optional AI assistant

Messages you send through Dashboard → Support, product suggestion forms, or similar in-product channels are stored with your account so our team can respond. Where we offer an AI-assisted chat experience and you choose to use it, portions of your conversation (including text you type and structured context the Service attaches to operate tools safely) may be transmitted to OpenAI or similar model providers to generate replies. Do not paste internet-banking passwords, card PINs, or full card numbers into chat; those belong only in the dedicated secure fields our payment partners render. AI output can be wrong: you remain responsible for reviewing actions before you confirm payments or account changes.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our payroll, wallet, bill payment, and payment automation services
  • Process payments, wallet funding, withdrawals, bill validations, and transactions
  • Operate bill schedules, auto-charge, low-balance notifications, and retry workflows you configure
  • Conduct identity verification (KYC) and comply with CBN, AML/CFT, and other regulatory requirements
  • Send you service-related communications
  • Respond to your inquiries and provide customer support
  • Detect, prevent, and address technical issues, fraud, and money laundering
  • Comply with legal obligations and enforce our terms
  • Analyze usage patterns to improve user experience

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service providers and subprocessors: With vendors who process data on our instructions, including without limitation Paystack (payments, virtual accounts, cards, Direct Debit), integrated bill aggregators (such as Flutterwave or eBills), identity and compliance vendors (for example Prembly or other KYC partners we enable), OpenAI or similar vendors when AI-assisted features are turned on, email and SMS delivery providers, cloud hosting and database operators, and observability tools (such as Sentry) for reliability and security monitoring. Their use of data is governed by their own policies for elements they process directly (for example card data on Paystack's PCI environment).
  • Regulators and Law Enforcement: With the Central Bank of Nigeria (CBN), Nigeria Financial Intelligence Unit (NFIU), law enforcement, or other authorities when required by law or to prevent fraud, money laundering, or terrorism financing
  • Legal Requirements: When required by law, court order, or government regulation
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you explicitly authorize us to share your information

Funding identifiers and partner events. When you fund your wallet using a dedicated virtual account (NUBAN) from our payment partner, we receive automated signals (for example assignment or reassignment events) that may include account numbers and bank metadata. We use that data to show current funding instructions in your dashboard, send in-app and email notices when details change, and retain limited internal records for fraud prevention, reconciliation, and support. We intentionally do not surface superseded account numbers in the product UI to reduce confusion; you should always follow the live details in the app and any official notices we send you.

5. Data Security

We implement industry-standard security measures to protect your information, including:

  • 256-bit SSL encryption for data in transit
  • Encryption at rest for stored data
  • Regular security audits and vulnerability assessments
  • Access controls and authentication mechanisms
  • Secure data centers with physical security measures

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Your Rights

Under the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR) where it still applies, and related regulations, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Restriction: Request limitation of processing
  • Portability: Receive your data in a structured format
  • Objection: Object to processing of your data

To exercise these rights, please contact us at hello@staffpay.ng.

7. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Account closure: When you close your account (via Deactivate or Permanently Delete in Settings), we will delete or anonymize your personal information within 30 days. You may permanently delete your account and all associated data at any time from Dashboard → Settings → Permanently Delete Account.

System data: Application logs and notifications are retained for 3 months, then automatically deleted. Cookie and consent preferences are logged for compliance and retained as required by law.

KYC and compliance data: Identity verification records and AML/CFT documentation are retained as required by CBN regulations and Nigerian law (typically up to at least 5 years after the end of the business relationship).

Where Nigerian law, tax regulations, or financial regulations require longer retention, we retain data in accordance with those requirements.

8. Cookies and Tracking

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and assist with marketing efforts. You can control cookie preferences through your browser settings.

For more information, please see our .

9. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

We encourage you to review this policy periodically to stay informed about how we protect your information.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Staff Pay Privacy Team

Email: hello@staffpay.ng

Phone: +234 813 878 1051

Address: Lagos, Nigeria