Privacy Policy.

SohCahToa Finance Company Limited ("SFCL", "we", "us", or "our") is committed to protecting and respecting your privacy. This policy sets out the basis on which personal data we collect from you, or that you provide to us, will be processed. Please read this carefully to understand our views and practices regarding your personal data and how we will treat it.

By accessing or using our Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to this policy, please do not use our services. By using the service, you agree to the collection and use of information in accordance with this policy. We are committed to complying with:

• The Nigeria Data Protection Act (NDPA) 2023
• Relevant Central Bank of Nigeria (CBN) guidelines
• Applicable data protection and cybersecurity regulations.

For the purposes of this Privacy Policy:

This Privacy Policy applies to:

• All customers, users, prospects, and visitors interacting with SFCL's digital platforms.
• Employees, contractors, and third-party service providers handling personal data.
• All personal data processed in connection with SFCL's financial products and services.
• All processing activities carried out by or on behalf of SFCL.

We collect and process the following categories of personal data:

4.1 Identity & KYC Data

• Full legal name, date of birth, gender, nationality
• Government-issued ID (NIN, BVN, passport, driver's licence)
• Photographs and biometric data (where applicable)
• Signature

4.2 Contact Information

• Email address, phone number, postal/residential address
• Next-of-kin details

4.3 Financial Information

• Bank account details, BVN, transaction history
• Income details, credit history, loan repayment data
• Investment portfolio information

4.4 Employment/Business Data

• Employer name, staff ID, payslips (for salaried customers)
• Business registration documents, CAC details (for SME customers)
• Tax identification number

4.5 Communication Data

• Enquiries, complaints, feedback submitted via our platform or channels
• Call recordings (for compliance and service improvement)

4.6 CCTV & Security Monitoring

Where you visit our physical office, CCTV footage may be captured for security purposes.

We process your personal data for the following legitimate purposes:

• Customer onboarding, account management, and KYC/AML compliance
• Credit assessment and loan origination
• Savings and investment account administration
• Regulatory reporting and compliance obligations
• Fraud prevention, risk management, and security monitoring
• Customer service, dispute resolution, and communication
• Marketing and promotional communications (where consented)
• Business analytics, product improvement, and research
• Maintaining and improving our operational infrastructure

Under the NDPA 2023 and applicable laws, we process personal data based on:

• Consent – Where you have given explicit consent (e.g., marketing communications).
• Contractual necessity – Processing required to execute an agreement with you.
• Legal obligation – Where we are required to process data by law (e.g., CBN/SCUML AML reporting).
• Legitimate interests – For fraud prevention, security, and improving our services.
• Vital interests – In rare cases involving safety of individuals.
• Public task – In support of activities in the public interest as a licensed financial institution.

We may share your data with:

• Regulatory bodies (CBN, EFCC, NFIU, NDIC) as legally required
• Credit bureaus (e.g., CRC, FirstCentral) for credit scoring and risk management
• Third-party service providers under strict data processing agreements
• Professional advisors (legal, audit, tax) bound by confidentiality
• Group entities or affiliates for internal operational purposes

We do not sell, rent, or trade your personal data. All third parties are contractually bound to data protection standards consistent with this policy.

Where data is transferred outside Nigeria, SFCL ensures appropriate safeguards are in place, including:

• Binding contractual clauses with recipient entities
• Adequacy decisions or equivalent data protection frameworks

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, or destruction, including:

• TLS/SSL encryption for data in transit; AES-256 encryption at rest
• Role-based access controls (RBAC) and multi-factor authentication (MFA)
• Regular vulnerability assessments and penetration testing
• Strict staff confidentiality agreements and data handling training
• Incident response and data breach management procedures
• Secure disposal of physical and digital records

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

• Active customer records: Duration of relationship + 7 years post-relationship
• KYC/AML records: Minimum 5 years (as required by NFIU/CBN)
• Loan records: 7 years after loan closure
• Fraud investigation records: Up to 10 years

After the applicable retention period, data is securely deleted or anonymised.

SFCL classifies all personal data into the following tiers:

• Public – Non-sensitive, publicly available information
• Internal – Operational data for internal use only
• Confidential – Customer financial and identity data
• Strictly Confidential – Biometric, health, and sensitive KYC data

Each classification tier has corresponding access, handling, storage, and disposal controls.

Under the NDPA 2023, you have the following rights regarding your personal data:

• Right to Access – Obtain a copy of your data we hold
• Right to Rectification – Correct inaccurate or incomplete data
• Right to Erasure – Request deletion where legally permissible
• Right to Restrict Processing – Limit how we use your data
• Right to Data Portability – Receive data in a structured, machine-readable format
• Right to Object – Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent – Revoke consent at any time without penalty
• Right not to be subject to automated decisions – Challenge decisions made solely by automated systems

To exercise these rights, contact our Data Protection Officer (DPO) at info@sohcahtoafinance.com. We will respond within 30 days as required by law.

We carry out Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including the introduction of new technologies or systems that process sensitive personal data. DPIAs help us identify and mitigate potential risks before processing begins.

Certain decisions (e.g., loan approvals, risk scoring) may involve automated processing. You have the right to request human review of any automated decision that significantly affects you. To exercise this right, contact us at info@sohcahtoafinance.com.

Our website uses cookies and similar tracking technologies to improve user experience, analyze traffic, and enhance security. Please refer to our separate Cookies Policy for full details on the types of cookies used and how to manage your preferences.

Our core financial services are not directed at persons under 18. We do not knowingly collect personal data from minors. Exception: Kiddies Piggy Save accounts are created and managed by parents/guardians. In this case, the guardian bears responsibility for consenting on behalf of the minor. If you believe we hold data from a minor without proper authorisation, please contact us immediately.

In the event of a personal data breach, SFCL will:

• Contain the breach and assess its scope and impact
• Notify the NDPC within 72 hours of becoming aware, where required
• Inform affected individuals without undue delay if the breach poses high risk to their rights
• Document all breach incidents and remediation actions

Our website and communications may contain links to third-party websites. SFCL is not responsible for the privacy practices or content of those sites. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices. All updates will be posted on our website with a revised effective date. Continued use of our services following notification of changes constitutes acceptance.

For privacy-related enquiries, data subject requests, or complaints, please contact: