Privacy Policy

We process your personal data only when permitted by law. The lawful bases include:

• Consent: when you give clear permission (e.g., for marketing communications);
• Contract: when processing is necessary to perform our agreement with you;
• Legal Obligation: to meet regulatory or statutory requirements (e.g., AML/CTF laws);
• Legitimate Interests: for purposes such as fraud prevention, improving our services, and business analytics, provided your rights are not overridden.

In accordance with the NDPA, all processing activities are conducted based on valid legal grounds, and we ensure that such processing is necessary, proportionate, and does not unduly infringe on your fundamental rights and freedoms.

We use your personal data to:

• Deliver and improve our Services;
• Verify your identity and fulfill KYC/AML obligations;
• Detect and prevent fraud, money laundering, terrorism financing, or illegal activity;
• Provide customer support and respond to inquiries;
• Send you important updates, including security alerts and policy changes;
• Carry out audits, troubleshooting, and analytics;
• Comply with applicable laws and regulatory requirements;
• Conduct marketing and promotional communications (where permitted by law and subject to your consent).

Additionally, we use personal data for internal risk management, regulatory reporting, dispute resolution, enforcement of contractual rights, and maintaining the security and integrity of our platform.

We may share your personal information only in the following circumstances:

• With third-party service providers (e.g., fraud prevention, KYC/AML, payment processors, auditors, IT providers), under strict confidentiality agreements;
• With affiliates, subsidiaries, or other entities controlled by Obiex;
• With regulators, law enforcement agencies, or courts when legally required (e.g., court order, subpoena, regulatory directive);
• In connection with a merger, acquisition, or sale of assets, subject to this Policy;
• With your consent or at your direction.

We do not sell or rent your personal data to third parties.

We retain personal data only as long as necessary for the purposes set out in this Policy, including compliance with AML/CTF obligations and other legal requirements. Retention periods vary depending on the type of data and applicable laws.

If you request account closure, we will delete your personal information unless retention is required for:

• Ongoing investigations or disputes;
• Compliance with law or regulatory obligations;
• Fraud prevention.

We implement secure data retention and disposal practices, including anonymization, pseudonymization, or irreversible deletion of personal data when it is no longer required, in line with NDPA principles.

Depending on your jurisdiction, you may have the following rights:

• Right to access the personal data we hold about you;
• Right to correct inaccurate or incomplete data;
• Right to request deletion (erasure), subject to legal/regulatory retention obligations;
• Right to object to certain processing (including direct marketing);
• Right to restrict processing in certain circumstances;
• Right to data portability;
• Right to withdraw consent (where processing is based on consent);
• Right to lodge a complaint with a supervisory authority or regulator.

Under the NDPA, you also have the right to be informed about how your data is processed, the right not to be subject to solely automated decision-making that significantly affects you without appropriate safeguards, and the right to request details of any cross-border data transfers and the safeguards in place.

We use cookies and similar technologies to improve your experience on the Obiex Site. Cookies are small text files stored on your device that help us recognize you, remember your preferences, and enhance functionality.

Types of cookies we use include:

• Strictly Necessary Cookies: Required for the operation of the platform (e.g., login authentication, security);
• Performance/Analytics Cookies: Help us understand how users interact with the platform and improve performance;
• Functional Cookies: Enable enhanced functionality and personalization;
• Targeting/Advertising Cookies: Used to deliver relevant content and measure marketing effectiveness (where applicable).

You can manage or disable cookies through your browser settings. However, disabling certain cookies may affect the availability and functionality of the Services.

We may also use third-party analytics providers, and their use of cookies is governed by their respective privacy policies.

You must be at least 18 years old to use Obiex Services. We do not knowingly collect data from individuals under 18. If we discover such data, it will be deleted immediately.

We implement reasonable age-verification controls where necessary and reserve the right to request additional information to confirm a user’s age. Where parental or guardian consent is required by applicable law, such consent must be obtained prior to processing personal data.

We use administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, loss, misuse, or disclosure. These measures include encryption, restricted access, firewalls, and monitoring systems.

In addition, we implement:

• End-to-end encryption for sensitive data in transit and at rest;
• Role-Based Access Control (RBAC) and least privilege principles;
• Regular vulnerability assessments and penetration testing;
• Security monitoring, logging, and alerting mechanisms;
• Periodic staff training on data protection and information security.

Despite our efforts, no system is completely secure; however, we continuously review and enhance our security posture in line with industry standards and regulatory requirements.

In the event of a personal data breach, Obiex will take immediate steps to contain, investigate, and mitigate the impact of the breach.

Where the breach is likely to result in a risk to the rights and freedoms of data subjects, we will:

• Notify the relevant supervisory authority (including the Nigeria Data Protection Commission (NDPC)) within the timeframe prescribed under the NDPA;
• Notify affected data subjects without undue delay where there is a high risk to their rights and freedoms;
• Provide details of the nature of the breach, categories of data affected, likely consequences, and remedial actions taken.

We maintain a data breach register and incident response procedures to ensure timely and effective handling of all security incidents.

Obiex has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this Privacy Policy and applicable data protection laws, including the NDPA.

The DPO’s responsibilities include:

• Monitoring compliance with data protection obligations;
• Advising on Data Protection Impact Assessments (DPIAs);
• Serving as a point of contact with regulatory authorities;
• Handling data subject requests and complaints.

Contact Details of the DPO:

Email: compliance@obiex.finance

We may update this Policy from time to time. When we make material changes, we will notify you by email or through the Obiex Site. The updated version will always carry the “Last Updated” date at the top.

Where required by applicable law, we will obtain your consent before implementing material changes that affect your rights or the way your personal data is processed.