This GDPR Compliance Notice (“Notice”) explains, for transparency purposes, how Jeroid approaches the data protection principles and individual rights commonly associated with the EU General Data Protection Regulation and the UK GDPR, in connection with your use of the Jeroid website and mobile application (together, the “Platform”).
1. Purpose and scope of this notice
Statement of applicability: Jeroid is established and operates primarily in Nigeria and processes personal data primarily under the Nigeria Data Protection Act 2023. GDPR applies, as a matter of EU/UK law, only to organisations that are established in the EU/UK or that target/monitor individuals located there. Jeroid does not currently do either. This Notice is published voluntarily to demonstrate alignment with internationally recognised data protection standards.
This Notice applies to all personal data collected through the Platform, including data collected for account registration, KYC/AML verification, crypto trading, digital payment processing, and gift card redemption services.
2. Data controller
Jeroid is the controller responsible for determining the purposes and means of processing your personal data through the Platform. For data protection enquiries, Jeroid can be contacted as set out in the Contact and complaints section below.
3. Data protection principles we apply
In handling your personal data, Jeroid applies the following principles, consistent with both the NDPR and GDPR standards:
- Lawfulness, fairness and transparency – we process data lawfully and explain clearly how and why we use it;
- Purpose limitation – we collect data for specified, explicit, and legitimate purposes, and do not process it in a manner incompatible with those purposes;
- Data minimisation – we collect only the data that is adequate, relevant, and limited to what is necessary;
- Accuracy – we take reasonable steps to keep data accurate and up to date;
- Storage limitation – we retain data only for as long as necessary for the purposes for which it was collected, or as required by law (see the Data retention section below);
- Integrity and confidentiality – we implement appropriate technical and organisational security measures to protect data;
- Accountability – we maintain records of our processing activities and can demonstrate compliance with these principles.
4. Lawful basis for processing
Where we process personal data, we rely on one or more of the following lawful bases, by analogy with GDPR Article 6:
- Contractual necessity – processing required to provide Jeroid Services under our Terms of Use, such as facilitating trades, payments, or gift card redemption;
- Legal obligation – processing required to comply with AML/KYC, tax, and regulatory obligations, including those imposed by the CBN, SEC, and NFIU;
- Legitimate interests – processing necessary for fraud prevention, platform security, and service improvement, balanced against your rights and interests;
- Consent – processing based on your specific, informed consent, such as for marketing communications or non-essential cookies, which you may withdraw at any time.
5. Categories of personal data we process
Depending on which Services you use, we may process the following categories of personal data:
- Identity data – full name, date of birth, government-issued ID, nationality, photograph/selfie for verification;
- Contact data – email address, phone number, residential address;
- Financial data – bank account details, payment card information, transaction history, wallet addresses;
- Technical data – IP address, device identifiers, browser type, operating system, cookie data (see our Cookie Policy);
- Usage data – information about how you use the Platform, including trading activity and payment patterns;
- Verification data – KYC/AML screening results, sanctions and PEP (Politically Exposed Person) screening outcomes.
We do not intentionally collect special category data (e.g., health, biometric data used for identification purposes beyond standard liveness/ID verification, religious or political beliefs) except where strictly necessary for identity verification and in compliance with applicable law.
6. Your data protection rights
Consistent with GDPR-equivalent standards, and subject to applicable exemptions and our regulatory record-keeping obligations, you may exercise the following rights in relation to your personal data:
| Right | What it means in practice on Jeroid |
|---|---|
| Right to be informed | You receive clear information about what data we collect and why, set out in our Privacy Policy and this Notice. |
| Right of access | You may request a copy of the personal data we hold about you. |
| Right to rectification | You may request correction of inaccurate or incomplete data, such as outdated KYC details. |
| Right to erasure | You may request deletion of your data, subject to our legal and regulatory retention obligations (e.g., AML record-keeping). |
| Right to restrict processing | You may request that we limit how we use your data in certain circumstances. |
| Right to data portability | You may request your data in a structured, commonly used, machine-readable format, where technically feasible. |
| Right to object | You may object to processing based on legitimate interests, including direct marketing. |
| Rights related to automated decision-making | You may request human review of any decision made solely by automated means that significantly affects you (e.g., automated fraud-risk scoring). |
Right
Right to be informed
What it means in practice on Jeroid
You receive clear information about what data we collect and why, set out in our Privacy Policy and this Notice.
Right
Right of access
What it means in practice on Jeroid
You may request a copy of the personal data we hold about you.
Right
Right to rectification
What it means in practice on Jeroid
You may request correction of inaccurate or incomplete data, such as outdated KYC details.
Right
Right to erasure
What it means in practice on Jeroid
You may request deletion of your data, subject to our legal and regulatory retention obligations (e.g., AML record-keeping).
Right
Right to restrict processing
What it means in practice on Jeroid
You may request that we limit how we use your data in certain circumstances.
Right
Right to data portability
What it means in practice on Jeroid
You may request your data in a structured, commonly used, machine-readable format, where technically feasible.
Right
Right to object
What it means in practice on Jeroid
You may object to processing based on legitimate interests, including direct marketing.
Right
Rights related to automated decision-making
What it means in practice on Jeroid
You may request human review of any decision made solely by automated means that significantly affects you (e.g., automated fraud-risk scoring).
To exercise any of these rights, please contact us using the details in the Contact and complaints section below. We may need to verify your identity before actioning a request, and we will respond within a reasonable period, and in any event within one month of a verified request, in line with GDPR-equivalent timeframes, extendable by up to two further months for complex requests.
7. Data retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. In particular:
- KYC and transaction records are generally retained for a minimum of five (5) years from the date of the relevant transaction or account closure, in line with AML record-keeping obligations;
- Marketing data is retained until you withdraw consent or opt out;
- Technical and cookie data is retained in accordance with the retention periods set out in our Cookie Policy.
Where retention is no longer necessary, we securely delete or anonymise the data.
8. International data transfers
Where your personal data is transferred to, or processed by, service providers located outside Nigeria (including, where applicable, in the EU/UK or elsewhere), we take steps to ensure an adequate level of protection, such as through contractual safeguards, recognised certifications, or other lawful transfer mechanisms, consistent with the Nigeria Data Protection Act 2023 and, where relevant, GDPR-equivalent transfer standards.
9. Security measures
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption of data in transit and at rest;
- Role-based access controls and authentication requirements for internal systems;
- Regular security testing and vulnerability assessments;
- Employee training on data protection and confidentiality obligations;
- Incident response procedures for suspected data breaches.
10. Personal data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will assess the breach promptly and, where required by applicable law, notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to you, we will also notify affected Users without undue delay.
11. Contact and complaints
If you have questions about this Notice, wish to exercise any of your rights, or have concerns about how we handle your personal data, please contact our Data Protection Officer:
- Email: dpo@jeroid.co
If you are not satisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC). Where GDPR were ever to become applicable to Jeroid’s processing of your data (for example, if you are located in the EU/UK and we begin targeting such individuals), you would also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or the place of the alleged infringement.
12. Updates to this notice
We may update this Notice from time to time to reflect changes in our practices, the scope of our operations, or applicable law. Material changes will be communicated via the Platform or by email. The “Last Updated” date at the top of this Notice indicates when it was last revised.