Introduction

This Privacy Policy ("Privacy Policy") applies to Wahed Limited NGA ("Wahed") website at www.wahed.com/nga (the "Website") or the mobile digital application through which the service is delivered (the “Mobile App”). This Privacy Policy covers the collection, processing and other use and disclosure of personal data under the Nigeria Data Protection Act 2023 ("NDPA") and the General Data Protection Regulation ("GDPR"). For the purpose of the NDPA and GDPR we are the data controller/user and any enquiry regarding the collection or processing of your data should be sent to our email: nigeriasupport@wahed.com. For the purpose of this Privacy Policy, the terms "we", "us" and "our" refer to Wahed. "You" refers to you as the user of the Website or the Mobile App. This Privacy Policy has been developed as an extension of our commitment to combine the highest-quality services with the highest level of integrity in dealing with all users of the Website or Mobile App. It is designed to assist you in understanding how we collect, use and safeguard personal information you provide to us and to assist you to make informed decisions. We will treat personal data that you provide through the Website according to this Privacy Policy, the NDPA and the GDPR. This statement will be continuously assessed and updated against new technologies, business practices and our customers' needs. 

PLEASE REVIEW THIS PRIVACY POLICY CAREFULLY.

By visiting and/or submitting information to or through this Website or the Mobile App, you agree to be bound by the terms and consent to the collection, use, disclosure, retention and processing of your information as described in this Privacy Policy, the NDPA and the GDPR.

Exclusion

You might find links to third party websites on our website. These websites should have their own privacy policies, which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

Amendments to the Privacy Policy

This Privacy Policy will come into effect on 5th of September, 2025 (the "Effective Date"). Although most changes are likely to be minor, we may change our Privacy Policy from time to time, to reflect changes to the Website, customer feedback and applicable law and at our sole discretion. If we decide to change our Privacy Policy, we will post those changes on this page so that you are always aware of what information we collect, how we use it, and under what circumstances we disclose it. We will at all times notify you of any changes or updates. We will not make retroactive changes that reduce your privacy rights unless we are legally required to do so. Your continued use of the Website and/or the Wahed mobile application after any change in this Privacy Policy will constitute your acceptance of the amended Privacy Policy.

This policy is intended to establish prudent and effective guidelines on the ways in which Wahed Limited collects, uses and protects personal information of its users under the Nigeria Data Protection Act. 2023 (NDPA) and General Data Protection Regulation (GDPR). We are committed to protecting your personal information and right to privacy.

Overview

Wahed designed this Privacy Policy to treat your personal information as private and confidential. This policy describes how we collect, use, process, disclose and protect your personal data (Personal Data).

This privacy policy sets out how Wahed treats personal data we collect from you, provided to us, and it will be processed by us. Kindly review this Privacy Policy carefully to understand our approach and praxis concerning your personal data and how we treat it. By assessing or using our services, Mobile app or Website (, you agree to this Privacy Policy and our Terms of Use.

Consent

Wahed requires your explicit consent to collect and process your Personal Data where consent is the lawful basis for processing under the Nigeria Data Protection Act, 2023 (NDPA) and, where applicable, the General Data Protection Regulation (GDPR). By consenting to this Privacy Policy, you acknowledge and agree to the collection, use, disclosure, retention, and processing of your Personal Data as described herein.

If we request Sensitive Personal Data (such as biometric information), you will be notified of the purpose and manner of use at the time of collection, and your explicit consent will be obtained before such processing takes place.

You may withdraw your consent at any time by contacting our Data Protection Officer at nigeriasupport@wahed.com. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal. For further details, please refer to the Withdrawal of Consent section of this Policy.

Conditions for Processing or Collecting Personal Data

Wahed or any third party acting on its behalf shall only process your Personal Data if at least one of these conditions are met:

• Consent: this refers to any freely given, specific, informed, and unambiguous indication through a statement or a clear affirmative action that signifies your agreement to the processing of your Personal Data by Wahed. Wahed does not intend to seek consent that may engender direct or indirect propagation of atrocities, hate, criminal acts, and anti-social conducts.
• Contract: processing is necessary for the performance of a contract or entering into a contract at your request.
• Legal obligation: processing is necessary for compliance with a legal obligation to which Wahed is subject.
• Vital interest: processing is necessary to protect your vital interests or those of another natural person.
• Public interest: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Wahed.
  

Personal Data We Collect

We collect and process personal data that you provide directly to us, data generated by your use of our Mobile Application or Website visits, and information obtained from authorised third parties. This includes:

• Identification Data: full name(s), date of birth, government-issued identification numbers (including Bank Verification Number (BVN) and National identification number (NIN)), and copies of official documents such as a passport, government-issued identity card, driver’s licence, voter’s ID or national ID card.
• Biometric Data:
  
  • Device-native biometrics (fingerprint or face recognition): used solely for secure login. This data is stored only on your device within its secure hardware. Wahed does not collect, store, or transmit this data.
  • Facial orientation and expression data: captured during liveness checks, confirming that the user is a real person. This data is used exclusively for real-time analysis during the verification process. It is transmitted securely to our authorised identity verification provider to carry out these checks.
  • Selfie images for identity verification (KYC): transmitted securely to our authorised identity verification provider for compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations. The actual image is not retained. Instead, an embedding of the image is stored, which is kept within the cloud services for the duration of the data retention period.
• Contact Data: residential and postal address, e-mail address, and mobile number.
• Financial Data: bank account details, debit or credit card numbers, transaction history, transaction time, account name, and payment information, value of the transaction in Naira, photos and other information you attach to your transaction.
• Demographic Data: gender, date of birth, zip code, and related attributes.
• Technical and Device Data: IP address, browser type, operating system, device identifiers, and geolocation derived from GPS or Wi-Fi.
• And we record your discussion with us if you contact us or we contact you.

‍

Certain personal Information such as genetic and biometric, race or ethnic origin, religion or similar beliefs, health status, sex life, political opinions or affiliations, trade union memberships or other information prescribed by the commission is characterized as sensitive (“Sensitive Personal Data”) and subject to stricter regulation than other personal information. Before providing it to us, we urge you to carefully consider whether to disclose your Sensitive Personal Data to us. If you do provide Sensitive Personal Data to us, you consent to its use and disclosure for the purposes and in the manner described in this Privacy Policy.

‍

Use of Facial Data

When you use our identity verification feature, the Wahed Mobile App captures your facial orientation and expression data (for liveness) and your facial image (or selfie) through your device’s camera systems via the SDKs provided by our authorised identity verification provider.

‍

Liveness Data:

• What is collected: face 3D spatial orientation and facial expressions.
• Purpose of collection: this is exclusively used for real-time analysis during the verification process to confirm that the selfie being taken is of a live user, for the purposes of authentication and fraud reduction and it is not stored. Its usage is strictly limited to the liveness detection function.
• Storage and sharing: it is transmitted securely to our authorised identity verification provider to carry out these checks. The spatial orientation/facial expression data is not submitted by our authorised identity verification provider to any third or first parties.

Once liveness is verified, the user’s facial image (or selfie) is captured.

‍

Selfie Data: 

• What is collected: face 3D spatial orientation and facial expressions, as well as a selfie image.
• Purpose of collection: the user’s facial image is captured to authenticate the identity of the user.
• Storage and sharing: The facial image is not retained. An embedding of the image is stored by our authorised identity verification provider, which is securely stored on their servers for the duration of the data retention period.

‍

The biometric data is never used for marketing, advertising, personalisation, or any purpose beyond security and compliance.

Non-Personal and Technical Information

In addition to the Personal Data described above, we collect certain non-personal or technical information when you access or use our mobile application or website. This may include:

• Technical Data: browser type, internet service provider, IP address, operating system, and web pages visited.
• Usage Data: information about what you have searched for and viewed while using the Services.
• Marketing Preferences: records of your decision to subscribe to or withdraw from receiving marketing communications.
• Metadata: information related to items you upload or share, such as the date, time, or location where a photograph or video was taken.
• Location Data: derived from GPS, Wi-Fi, or other device signals, to support compliance requirements and tailor onboarding flows regionally.
• Other Derived Information: information made available by you or others that may indicate the current or prior location of a user.

This information is collected automatically through cookies, device identifiers, SDKs, and similar technologies, and is used to:

• Ensure secure onboarding and compliance with applicable KYC/AML obligations;
• Strengthen authentication and fraud-prevention measures;
• Improve the design, functionality, and performance of our Services; and
• Enhance the overall user experience.

How We Collect Information

The types of information we collect and how we process it depend on how you use and access our Services. Information may be collected in the following ways:

1. Directly from You
   
   1. When you create an account to use our Services, complete onboarding, submit identity documentation, or contact us for help or information.
   2. When you voluntarily provide Personal Data through our mobile application or website.
2. Automatically through Use of Our Services
   
   1. Certain technical and usage data are automatically collected when you interact with our website or mobile application, including IP address, device type, operating system, browser type, geolocation, page views, clicks, and navigation history.
   2. This information may be gathered using cookies, server logs, SDKs, and similar data collection tools, as described further below.
3. From Social Media (Optional)
   
   1. If you choose to connect your Wahed account through a social media platform (such as Facebook Connect), we may receive information from that platform in line with your privacy settings.
4. From Business Partners and Service Providers
   
   1. Trusted third parties engaged to support our business operations — such as identity verification providers, KYC/AML service providers, cloud hosting partners, authentication providers, SMS gateways, and payment processors — may collect Personal Data about you through our Services and share it with us under strict confidentiality and security obligations, unless mentioned otherwise in this Policy.

We may combine the information collected from these sources and use the combined data as described in the How We Use Your Data section of this Policy.

Cookies And Data Collection Tools

Our Services use cookies and other similar tools to enable secure functionality, improve performance, and analyse usage.

Categories of Cookies:

1. Essential Cookies: Necessary for login, navigation, and core security. These cannot be disabled.
2. Analytics Cookies: Help us understand how users interact with our Services by collecting anonymous usage data.
3. Marketing Cookies: Track browsing behaviour to deliver tailored content and advertising. You may opt out of these.

User Consent and Management:
By using our Services, you consent to the use of cookies as described. You may:

• Accept All Cookies (enable all categories).
• Reject Non-Essential Cookies (allow only essential cookies).

Other Data Collection Tools:
In addition to cookies, we may use tools such as web beacons and server logs to help improve your experience. These tools may capture details about the device used to access the Services, including operating system type, browser type, domain, country, and time zone.

Such information does not ordinarily identify you personally and is primarily used for statistical analysis, fraud detection, security monitoring, and performance improvement.

How We Use your Data

We may process the information we collect/you provide to us in accordance with the Nigeria Data Protection Act, 2023 (NDPA) and GeneralData Protection Regulation (GDPR). This information is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purpose(s): 

• Verifying your identity and carrying out Know-Your-Customer (KYC) and anti-money laundering checks;
• Providing, managing, and improving our Services;
• Securing accounts through authentication, liveness detection, fraud prevention measures and to detect illegal activities; or for archival and backup purposes in connection with the provision of services;
• Processing transactions and maintaining accurate records;
• Complying with legal, regulatory, and tax obligations;
• To operate, improve and personalize the products and services we offer, and to give each user a more consistent and personalized experience when interacting with us;
• To communicate with you and notify you about any changes to our website or Mobile Application, such as improvements or service/product changes, that may affect our services; 
• Communicating with you about your account and updates to our Services;
• To better understand how users access and use the Website and Mobile application, for the purposes of trying to improve our services and to respond to user preferences, including language and location customization, personalized help and instructions, or other responses to users’ usage of the Website or the App;
• To help us develop our new products and services and improve our existing products and services;
• To provide users with advertising and direct marketing that is more relevant to you;
• To enforce any other applicable policies; and
• To assess the effectiveness of and improve advertising and other marketing and promotional activities on or in connection with the Website or the App.

Without your personal data, we may not be able to provide or continue to provide the Services you require.

Automated Decision-Making and Profiling

We may use your Personal Data as part of automated processing activities designed to provide, improve, and tailor our Services. These activities may include:

• Real-time onboarding and identity verification (KYC/AML);
• Risk and suitability analysis through questionnaires that take into account your financial objectives, and risk tolerance;
• Portfolio recommendations and product eligibility assessments; and
• Client segmentation and some fraud prevention checks.

These processes may result in decisions about you that affect the services we provide, including the type of portfolio or product we recommend, or the terms under which they are offered. However, these recommendations are not binding. You remain free to override the suitability profile and select a different investment option where permitted.

You have the right not to be subject solely to automated decision-making that significantly affects you. You may object to, or request human intervention in, such decisions at any time by contacting us using the details in the Contact Information section of this Policy. Please note that if you withdraw consent to certain automated processes, this may limit or prevent our ability to provide Services to you.

Sharing and Disclosure of Personal Data

We may disclose or share your Personal Data with third parties which include our affiliates, employees, officers, service providers, agents, and partners, only as permitted by law and as may be reasonably necessary for the purposes set out in this policy. Wahed may disclose Personal Data to or share it  with the following parties:

• Wahed may disclose Personal Data to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries in order to perform services requested or functions initiated by users. In addition, we may disclose Personal Data in order to identify a user in connection with communications sent through the Website. 
• With third-party service providers performing services on our behalf; these third party service providers may include: cloud service providers, technology providers, identity verification providers, broker dealer/custodians and other third parties that may be required for the provisions of our services as might be deemed necessary for our function. These services may include but are not limited to identity verification, liveness detection, authentication, SMS delivery, cloud hosting, and payment processing. These providers act strictly as data processors under Wahed’s instructions and are bound by confidentiality and security obligations.
• We share information, including Personal Data, with our service providers to perform the functions for which we engage them (such as hosting and data analyses). We may share information as needed to operate other related services.
• With professional advisers, auditors, or contractors under confidentiality obligations where required for legitimate business purposes.
• We also may share information that we collect from users, as needed, to enforce our rights, protect our property or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions. We will disclose Personal Data as we deem necessary to respond to a subpoena, regulation, binding order of a data protection agency, legal process, governmental request or other legal or regulatory process. We may also share Personal Data as required to pursue available remedies or limit damages we may sustain.
• We may share Personal Data about you in an aggregated form, that is, in a statistical or summary form that does not include any personal identifiers, with third parties in order to discover and reveal trends about how users like you interact with our services.
• We may transfer information, including your Personal Data, in connection with a merger, sale, acquisition or other change of ownership or control by or of us or any affiliated company {in each case whether in whole or in part). When one of these events occurs, we will use reasonable efforts to notify users before your information is transferred or becomes subject to a different privacy policy.

Wahed may share Personal Data with third parties if you have given us your consent to do so or:

• in the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets;
• if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;
• if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation or in order to enforce or apply our Website Terms and other agreements, but we will endeavor to minimise such disclosure to only that reasonably necessary and, where possible, to provide you with notice of such disclosure; and/or
• to protect the rights, property, or safety of Wahed, the Website, our users and any third party we interact with to provide the Website.

Wahed does not sell personal data to any third party.

Transfer of Personal Data Abroad

Any transfer of personal data outside Nigeria shall be conducted in accordance with the NDPA and subject to adequate safeguards. Such transfers may occur where:

• The receiving country or organisation ensures an adequate level of data protection.
• You have explicitly consented to the transfer after being informed of potential risks.
• The transfer is necessary for performance of a contract with you, or to take steps at your request.
• The transfer is required for the conclusion or performance of a contract in your interest.
• The transfer is necessary for important public interest, legal claims, or vital interests.

In all cases, Wahed ensures that contractual and technical measures are in place to maintain the confidentiality and security of your data.

‍

DATA RETENTION, STORAGE, AND SECURITY

We retain your data for a period of seven (7) years. We also retain Personal Data from closed accounts to comply with applicable law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation and other actions permitted by law.

The security of your Personal Data is important to us. We shall take all appropriate security and organizational measures to prevent unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of personal data under our control.

However, the security of information transmitted through the internet can never be guaranteed. We are not responsible for any interception or interruption of any communications through the internet or for changes to or losses of data. Users of the Website are responsible for maintaining the security of any password, user ID or other form of authentication involved in obtaining access to password-protected or secure areas of any of our digital services. In order to protect you and your data, we may suspend your use of any of the services, without notice, pending an investigation, if any breach of security is suspected. Access to and use of password protected and/or secure areas of any of the services is restricted to authorized users only. Unauthorized access to such areas is prohibited and may lead to criminal prosecution.

Your Rights

Under the NDPA, you have the following rights in relation to your Personal Data. You may exercise these rights at any time by contacting our Data Protection Officer using the details in the Contact Information section.

1. Right to be Informed
   You are entitled to clear, transparent information about how and why we process your Personal Data, the categories of data involved, our lawful bases, recipients or categories of recipients, retention periods, and any transfers to third countries together with the corresponding safeguards.
2. Right of Access
   You may obtain confirmation as to whether we process your Personal Data and receive a copy of such data, together with the information required by NDPA, without unreasonable delay. Requests may be made via email to nigeriasupport@wahed.com or by calling +17652123831.
3. Right to Rectification
   You may require us to correct inaccurate Personal Data and to complete incomplete data without undue delay.
4. Right to Erasure (“Right to be Forgotten”)
   You may request the deletion of your Personal Data where, for example, the data are no longer necessary for the purposes collected, you have withdrawn consent and there is no other lawful basis, or the data have been unlawfully processed. We may continue to retain certain data where retention is required for legal, regulatory, tax, or compliance purposes, or for the establishment, exercise, or defence of legal claims.
5. Right to Restrict Processing
   You may request that we restrict processing of your Personal Data in specific circumstances (for example, while we verify accuracy or where processing is unlawful and you request restriction rather than erasure). During restriction, we will store your data but not otherwise process it except for legal claims or with your consent.
6. Right to Object
   You may object at any time to processing based on legitimate interests, including profiling on that basis, and we will cease such processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is required for legal claims. You may object at any time to processing for direct marketing, and we will stop such processing immediately.
7. Right to Data Portability
   Where processing is based on consent or on a contract and carried out by automated means, you may request to receive your Personal Data in a commonly used, machine-readable format and/or request that we transmit those data to another data controller where technically feasible.
8. Right to Withdraw Consent
   Where we rely on your consent, you may withdraw it at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal, and we may continue processing where another lawful basis applies. Please refer to the Withdrawal of Consent section for more information.
9. Rights in Relation to Automated Decision-Making (including Profiling)
   You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where such processing is used, you may request human intervention, express your point of view, and contest the decision.
10. Right to Lodge a Complaint
    You may lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe our processing violates NDPA. We encourage you to contact us first so we can address your concerns promptly.

How to Exercise Your Rights

To exercise any of your rights, you may contact our Data Protection Officer using the details provided in the Contact Information section of this Policy. For security, we may ask you to verify your identity before fulfilling your request, for example by confirming the email address associated with your Wahed account or other reasonable means. When submitting a request, please provide:

1. Your full name; and
2. A clear description of the right you wish to exercise.

If we decline a request, we will provide a clear explanation of our reasons and inform you of your options to escalate the matter, including to NDPC.

Withdrawal Of Consent

You are not obliged to permit us to process your personal data. If you do not wish us to do so, you may withhold your consent by writing to us at nigeriasupport@wahed.com. If you have previously given your consent for us to process your data for a specific purpose, you may withdraw or amend that consent at any time by providing a written notice to us. Such withdrawal or variation will not affect the lawfulness of processing carried out prior to our receipt of your notice.

Links to Third Party Websites and Services

You may use the Website to link to third party websites. If you use any link, you leave the Website. Your use of any third party website will be subject to that third party's terms and conditions. We do not monitor the content of third party web sites and any links provided are for your convenience only.

A link to any other website does not mean that we guarantee, approve or endorse the information or products available or the quality or accuracy of information presented on it.

We do not operate or control and have no responsibility for the information, products and/or services found on any external websites, unless expressly stated on such external websites. Nor do such links represent or endorse the accuracy or reliability of any information, products and/or services provided on or through any external websites, including, without limitation, warranties of any kind, either express or implied, warranties of title or non-infringement or implied warranties of merchantability or fitness for a particular purpose. You assume complete responsibility and risk in your use of any external sites.

If you decide to visit a third party website, you are subject to its privacy policy and practices, not this privacy policy. We encourage you to carefully review the legal and privacy notices of all other digital services that you visit.

Privacy of Childrens

Wahed respects the privacy of children. We do not knowingly collect names, email addresses or any other personally identifiable information from children. We do not knowingly market to children nor do we allow children under 18 to open online accounts. 

The Wahed app will only allow users that are aged 18 or above to register as mentioned on this document. If false information is entered by the client, this will be checked by our authorised identity verification provider as well as our internal KYC teams and the account will be blocked from signing up further.

Consequently, Wahed shall not be liable for any use or processing of Personal Data of persons under the age of 18.

If as a parent or guardian, you become aware that your child or ward child has provided us with any information without your consent, please contact us through the details provided in this Privacy Policy.

Governing Law

This Policy is made pursuant to the Nigeria Data Protection Act 2023 (NDPA), Global Data Protection Regulation (GDPR) and other relevant Nigeria laws and regulations. Where any provisions of this Policy is deemed inconsistent with a law or regulations, such provisions shall be subject to the overriding law or regulations.

Amendments to the Privacy Policy

We may update our privacy policy from time to time, to reflect changes to the mobile Application or Website, customer feedback and applicable rules and regulations. We will at all times notify you of any changes or updates.

Contact Information

We welcome any queries, comments, or concerns about this Privacy Policy or our data protection practices. You may contact our Data Protection Officer at:

• Email: nigeriasupport@wahed.com
• Telephone: +17652123831

If you are dissatisfied with how we collect or process your Personal Data, you also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC), the competent supervisory authority for data protection in Nigeria:

• Email: info@ndpc.gov.ng or dpo@ndpc.gov.ng 

This Privacy Policy will be reviewed on an annual basis, or sooner where required to reflect changes in law, regulation, or our business practices.