Version 1.2

Last Updated: September 2025

YALA'S Privacy Policy

1. INTRODUCTION

This Privacy Policy ("Policy") outlines how Yala ("We," "Us," or "Our") collects, uses, stores, discloses, and protects the personal data of individuals, including customers, partners, employees, clients, vendors, and other third parties.

We are committed to handling and processing personal data in a lawful, fair, and transparent manner, in full compliance with applicable laws, including the Nigeria Data Protection Act (NDPA) 2023, the Personal Information Protection and Electronic Documents Act, the General Data Protection Regulation (GDPR), and such other laws that Yala shall be subject to (the "Data Protection Regulations").

This Policy explains our data handling practices and the rights available to you regarding the use of your personal data.

1.1 DEFINITION OF YALA

For the purposes of this Policy, "Yala" means:

  1. Rank Wyre Pay Inc., a private company incorporated under the laws of Canada with incorporation number BC1433448 and MSB registration number M23709006 situate at 422, Richards Street, Suite 170, Vancouver, BC, Canada, V6B2Z4,
  2. Yala Technologies Limited, a private company with RC No. 7270976 incorporated under the laws of the Federal Republic of Nigeria, situate at No. 11b, Ologun Agbaje Street, Victoria Island, Lagos, Nigeria,
  3. Yala Technologies Limited, a private company incorporated under the laws of England and Wales with Company No. 15813684, situate at 7, Bell Yard, London, WC2A 2JR, United Kingdom,
  4. Yala Technologies Inc. a private company with File Number: 5769543, incorporated under the laws of the State of Delaware, United States of America, situate at 1007 N Orange St., 4th Floor Ste 1382 Delaware, United States of America,
  5. YALA Technologies B.V a private company with RSIN 866831812, incorporated under the laws of The Kingdom of Netherlands, situate at San Marinostraat 121, 3541 DS, Utrecht, Netherlands, and

any subsidiaries or affiliates of Yala, wherever incorporated. Together, these entities are referred to in this Policy as "Yala", "We" or "Us".

2. SCOPE

This Policy applies to all personal data collected, processed, or stored by Yala across all operational channels and touchpoints. These include, but are not limited to:

  1. our software platforms, mobile and web applications,
  2. Yala's social media platforms,
  3. physical and digital forms,
  4. voice communications (e.g., phone calls),
  5. emails, text messages, and customer service chats,
  6. in-person interactions and other communication mediums, etc.
  7. authorized third-party integrations connected/relating to yala's services.

All personal data, regardless of format, means of collection or geography, is handled in accordance with the standards, safeguards, and user rights outlined in this Policy.

3. LEGAL BASIS FOR PROCESSING: WHY WE HOLD YOUR DATA

This Policy is guided by the legal requirements set out under applicable the Data Protection Regulations, which specify lawful grounds for the collection and processing of personal data. Yala processes personal data only when there is a valid legal basis including:

a) Consent: You provide consent to our processing of your personal data when you create an account, access our website, download our mobile application, or engage with any of our services. Consent may be withdrawn at any time, subject to legal or contractual restrictions.

b) Legal Obligation: We may process your personal data to comply with legal and regulatory obligations under Canadian, Nigerian, UK, EU, US, or other applicable laws. For example, we are required to collect specific data for compliance with international Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) standards.

c) Legitimate Interest: We may process your personal data when it is necessary to pursue our legitimate business interests, provided such interests do not override your fundamental rights and freedoms. These interests may include:

  • ensuring the security of our platforms and operations,
  • preventing fraud and financial crime,
  • enhancing and improving our services,
  • supporting operational efficiency and innovation.

4. YOUR PRIVACY RIGHTS

Under the Data Protection Regulations, you have several rights in relation to your personal data. These rights empower you to maintain control over how your personal data is collected, processed, and used by Yala. They include but are not limited to:

4.1. Right of Access:

You have the right to request a comprehensive report of all personal data we hold about you including:

  • why and how your data is processed,
  • the categories of data involved,
  • any third-party recipients with whom your data has been shared.

4.2. Right to Rectification:

You may request that we correct or update any inaccurate, incomplete, or outdated personal information.

4.3. Right to Erasure ("Right to be Forgotten"):

You have the right to request the deletion of your personal data from our records, especially when it is no longer necessary for the purposes for which it was collected. However, please note that this right may be subject to legal or regulatory obligations, such as Know Your Customer (KYC) and Customer Due Diligence (CDD) regulations that require retaining certain information for a specified period.

4.4. Right to Data Portability:

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transfer it to another service provider where technically feasible.

4.5. Right to Restrict Processing:

You may request that we restrict the processing of your personal data to certain purposes or services, particularly where the accuracy of the data is contested, or the processing is unlawful.

4.6. Right to Object:

You have the right to object to the processing of your personal data, particularly where it involves direct marketing, profiling, or is based on our legitimate interests, if you believe it impacts your fundamental rights or freedoms.

4.7. Right to Withdraw Consent:

Where processing is based on your consent, you have the right to withdraw that consent at any time. Please note that your withdrawal of consent does not affect the lawfulness of any processing carried out prior to such withdrawal.

4.8. Right to Lodge a Complaint:

If you believe your data has been mishandled, you may file a complaint with us by contacting our Data Protection Officer. If you are not satisfied with our response, you may escalate your complaint to the Nigerian Data Protection Commission (NDPC) or other regulators to whom Yala is subject to.

4.9. How to Exercise Your Rights:

To exercise any of your rights under this Policy, please send a clear written request specifying the right you wish to invoke to our Data Protection Team at dataprotection@useyala.com.

5. PERSONAL DATA WE COLLECT

We collect personal data during various interactions with our services in accordance with Data Protection Regulations. This data helps us provide secure, compliant, and personalised financial services. The types of personal data we collect may include, but are not limited to, the following categories:

5.1. Know Your Customer (KYC) / Customer Due Diligence (CDD) Data:

To comply with regulatory requirements and verify your identity, we may collect the following:

  1. full name, date of birth, gender, marital status, nationality,
  2. residential and mailing addresses,
  3. contact information (email address and phone number),
  4. Bank Verification Number (BVN) and National Identification Number (NIN), where applicable,
  5. government-issued identification (passport, driver's license etc.),
  6. biometric data (e.g., fingerprints, facial recognition, photographs),
  7. employment or business information,
  8. financial statements,
  9. credit history,
  10. business data which includes but not limited to business name, country of incorporation, company registration documents, ownership structures and information, and trade information.

5.2. Transactional and Financial Data:

This includes information relating but not limited to:

  1. receivables and payables information,
  2. bank account details,
  3. payment instructions,
  4. currency conversion preferences,
  5. transaction records of payments processed through Yala.

5.3 Device and Application Usage Data:

To enhance platform performance and user experience, we may collect technical data from your devices, such as:

  1. device type and model,
  2. operating system and version,
  3. unique device identifiers (e.g., IMEI, MAC address),
  4. Internet Protocol (IP) address,
  5. browser type and settings,
  6. mobile network information,
  7. app usage statistics, error logs and crash reports.

With your explicit consent, we may also access:

  1. GPS location data,
  2. camera access (e.g., for photo id verification or mobile check deposits),
  3. contacts (e.g., for referrals or in-app money transfers),
  4. calendar access (e.g., for setting reminders or appointments).

5.4. Third-Party Data Sources:

We may collect additional personal data from reliable third-party sources to meet regulatory obligations, assess risk, and improve service delivery. These sources include:

  1. identity verification service providers,
  2. credit bureaus and fraud prevention agencies,
  3. banks, payment processors, and other financial institutions,
  4. public records and regulatory databases,
  5. marketing or analytics partners (only where legally permitted).

5.5. Cookies and Performance Tracking Technologies:

We use cookies and similar technologies on our mobile app and website to:

  1. enable essential platform functionality,
  2. analyse user behaviour and performance metrics,
  3. personalize your experience.

You may manage your cookie preferences through your device or browser settings. For more information, please refer to our Cookie Policy.

6. HOW WE USE YOUR PERSONAL DATA

By creating an account or using the Yala App, website, or any other electronic channel, you give us express, informed, and revocable consent to collect, control, and process your personal data. We use your personal data to deliver secure, compliant, and personalised financial services. Below are the primary purposes for which we use your personal data:

6.1. Service Delivery:

Your personal data enables us to provide and manage our core financial services, including but not limited to:

  1. opening and maintaining accounts,
  2. processing payments and fund transfers,
  3. facilitating deposits, withdrawals, and other transactions,
  4. enabling access to digital banking and mobile app features.

6.2. Regulatory Compliance:

We are legally obligated to comply with various laws and regulations. Your data is processed to:

  1. perform KYC and CDD checks,
  2. conduct AML and CFT screenings,
  3. comply with tax, reporting, and audit requirements,
  4. respond to lawful requests from regulators, law enforcement, or the judiciary.

6.3. Innovation and Service Improvement:

We may analyse personal data to improve and innovate our services. This includes:

  1. conducting internal research and market analysis,
  2. understanding customer behavior and usage trends,
  3. enhancing features and user experience,
  4. testing and refining new tools, features, or financial products.

6.4. Communication and Customer Support:

We use your data to communicate with you and provide assistance, including:

  1. transaction alerts and service notifications and updates,
  2. customer service and dispute resolution,
  3. marketing messages, promotions, and service updates (subject to your preferences),
  4. feedback requests and satisfaction surveys.

Please Note: You may opt out of receiving promotional communications at any time via your account settings or by using the unsubscribe link in our emails and messages.

6.5. Security and Fraud Prevention:

Your personal data is essential for ensuring the safety and integrity of our systems. It helps us:

  1. monitor for and detect fraud in real-time,
  2. verify user identity and transaction authenticity,
  3. investigate suspicious or unauthorized activity,
  4. prevent cyberattacks and secure our infrastructure.

7. HOW WE SHARE YOUR DATA: THIRD-PARTY PROCESSING AND DISCLOSURES

We take your privacy seriously and only share your personal data when necessary and in accordance with this Policy.

7.1. Third-Party Service Providers:

We may share your personal data with third-party partners who assist us in delivering our services, fulfilling legal obligations, or supporting our operations. These may include:

  1. payment processors,
  2. identity verification providers,
  3. credit bureaus and fraud prevention agencies,
  4. data analytics firms,
  5. IT and cloud hosting providers,
  6. legal, regulatory, compliance, or audit professionals,
  7. other subcontractors or persons acting as our agents.

By using our mobile application, website, or other electronic channel, you expressly authorise Us to share your personal data with such partners for the purposes outlined in this Policy. We implement reasonable contractual and technical safeguards to ensure that third parties handle your data in compliance with globally recognised data protection standards. However, Yala shall not be liable for unauthorized access, misuse, or security breaches caused by these third parties beyond our control.

7.2. Disclosures in Fraud Investigations and Legal Requests:

In cases of actual or suspected fraud or unlawful activity, we may disclose your personal data to law enforcement or regulatory authorities, including but not limited to:

  1. the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC),
  2. the Nigerian Police Force (NPF),
  3. the Economic and Financial Crimes Commission (EFCC),
  4. the Nigerian Financial Intelligence Unit (NFIU),
  5. the Federal Bureau of Investigation (FBI),
  6. other authorised government bodies and courts.

Disclosed information may include, but is not limited to: full name and contact details, Bank Verification Number (BVN), transaction records and account history, identification documents and other relevant personal data.

Important Notes:

  1. Disclosures in fraud investigations and legal requests disclosures may be made without prior notice to you, where required by law or necessary to prevent harm or support an active investigation.
  2. We will ensure that disclosures are made in good faith, in accordance with applicable laws, and only upon reasonable suspicion or evidence of misconduct.

By using the Yala App or other related services, you consent to the disclosure of your personal data for the purposes of fraud investigation and regulatory compliance.

7.3. Cross-Border Data Transfers:

We may collect, store, control, or transfer your personal data within our subsidiaries, and to trusted third parties, affiliates, or service providers located in jurisdictions outside of where Yala operates. In such cases, We will ensure that adequate safeguards are in place to protect your personal data by:

  1. transferring personal data only to countries with adequate data protection laws, recognised by the countries in which We operate;
  2. ensuring our contracts include standard contractual clauses;
  3. ensuring data processing agreements are aligned with the Data Protection Regulations and global best practices.

You may request further information about the safeguards applied to international data transfers by contacting us at dataprotection@useyala.com.

8. DATA RETENTION

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. In particular, as a regulated financial institution, we are obligated to retain certain data (e.g., KYC and transaction records) for a minimum period of five (5) years after the end of your relationship with Us, in compliance with relevant anti-money laundering and financial regulations. After the applicable retention period, your data will be securely deleted, anonymized, or archived, unless further retention is required for:

  1. legal proceedings or investigations,
  2. tax or regulatory audits,
  3. fraud prevention or enforcement actions.

You may request further details on our data retention practices by contacting our Data Protection Team at dataprotection@useyala.com.

9. DATA SECURITY MEASURES

We implement a range of technical, organisational, and administrative security measures to protect your personal data against unauthorised access, loss, misuse, alteration, or destruction. These include:

  1. end-to-end encryption of data in transit and at rest,
  2. secure login and multi-factor authentication protocols,
  3. regular security audits and penetration testing,
  4. role-based access controls for staff,
  5. continuous fraud monitoring, audit for security threats and anomalies.

Despite our best efforts, no method of data transmission or storage can be guaranteed to be 100% secure. Therefore, we encourage you to also take steps to protect your data, such as keeping your login credentials confidential and enabling multi-factor authentication where applicable. If you suspect that your account has been compromised or your data has been mishandled, please contact us immediately at compliance@useyala.com.

10. UPDATES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal obligations, or regulatory requirements. When changes are made:

  1. we will post the updated version on our website and/or mobile app;
  2. if the changes are material, we will notify you via email or in-app notification. A summary of significant updates will accompany each revision to ensure clarity;
  3. the effective date of the updated policy will be clearly stated at the top of the document; and
  4. updates to our Policy shall take effect on the day on which they are published. We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

11. CONTACT US

If you have any questions, concerns, complaints, or requests related to this Privacy Policy or the processing of your personal data, you may contact Us via email at dataprotection@useyala.com.