United Kingdom
Nigeria
Terms & Conditions
Terms & Conditions
Policies
Privacy Policy
Complaints
Cookie Policy
FAQs
FAQs
Legal
NigeriaPrivacy Policy

Privacy Policy

Background

We’re Kuda Microfinance Bank Limited (‘we’, ‘our’, ‘us’) and operate under the brand name Kuda or Kuda Bank.  We’re registered with the Corporate Affairs Commission with the number RC796975 and licensed by the Central Bank of Nigeria as a microfinance bank.

This Privacy Policy describes what information we collect about our customers, how we collect and use the information you share with us, and with whom we share that information.  You don’t have to share any information with us, but to use our services, we’ll need some information from you. This policy also contains information about when we share your personal information with third parties (such as our service providers and credit bureaus).   References to “you” or “your” throughout this policy shall refer to our customers (individuals or businesses) or persons who use or try to use any of our services through any of our platforms.

This Privacy Policy does not apply to services that are not owned or controlled by Kuda including third-party websites and the services of other Kuda partners, or merchants. This Privacy Policy applies to all forms of systems, operations and processes within the Kuda environment that involve the processing of personal data.

By using or accessing any of our services, you agree to the collection, use, and disclosure of your personal data as described in this Privacy Policy. Your use of our services is also subject to our regular terms and conditions for account opening.

Should you disagree to abide by such terms, or if you revoke your consent to the processing of your personal data, your account will be disabled and you will no longer be able to access or interact with us on any of our platforms.

What information do we collect?

Information you give us on Kuda Applications.

We collect and use any information you supply when you interact with any of our touch points. When you open an account with us, you share details like your names, Bank Verification Number (BVN), identification documents, address and pictures. By using our card or any Kuda Application to transact, you also share details of your transactions with us.

Other details we collect and what we do with them include:

  • Details you give when you sign up for a Kuda account, like your BVN, names, date of birth, gender, phone number, residential address, and email address are in fulfillment of regulatory requirements.
  • Your profile picture.
  • We collect a video of your face during a liveness check done to confirm that you're the one opening or upgrading your Kuda account. We share this video with a third-party service provider to facilitate our liveness check.
  • You may choose not to upload a video of your face on the Kuda app, however, this will limit what you can do with your Kuda account as the identification and verification will be incomplete.
  • We will not share the video of your face that we collect during a liveness check with advertisers or anyone else other than the third-party service provider that facilitates the liveness check process.
  • If at any time you choose to withdraw your consent for us to use this video for your liveness check, we will delete it. However, please note that this would affect your ability to use your account as certain services are dependent on us processing your video for the liveness check.
  • Information you give us through the in-app chat so we can help you.
  • To help protect you against fraud by tracking the location of your phone if you’ve authorised it.
  • View your contact list for airtime purchases or access your SMS and related data.

The above is not exhaustive as we may need to collect additional information and data as our services evolve or as a result of changes in regulatory requirements.

Additionally, we may collect special or sensitive data about you such as gender/sex, personal identifiable information and sensitive financial information. Additionally and with particular reference to credit applications you make to us, from your device, we may collect your SMS logs, contacts, location and applications, to enable us to determine your creditworthiness, handle credit related fraud cases  or comply with KYC requirements, as applicable.

Information you give us when you contact us through other channels

If you contact us via other means than the in-app chat, we collect the following information so we can answer your questions or take action

  • The phone number you’re calling from and information you give us during the call
  • The email address you use and the contents of your email (and any attachments) sent to us.
  • Public details from your social media profile like Facebook, Instagram or X (formerly Twitter).  if you reach out to us via these platforms, and the contents of your messages or posts to us

Information we collect when you use Kuda channels

  • The mobile network operator and the operating system that you use,
  • Your IP addresses and device ID
  • Your phone contacts so you can make airtime purchases or pay contacts on Kuda

Information we get from third parties

As part of our Know Your Customer (KYC) process, we run checks on the identity information you supply during signup. We will verify the authenticity and validity of the identification document that you have provided, either directly from the issuing authorities or through authorized service providers. We may also retrieve or verify information about you from public sources such as government databases.

Also, when you request for credit or lending related products and services, we run further checks with the licensed credit bureaus for eligibility checks in line with regulations.

How do we use your information : grounds for processing of personal data

The Nigeria Data Protection Act, 2023 (NDPA) and the Nigerian Data Protection Regulations 2019 (NDPR) requires that we have a lawful basis for processing your personal data. At least one of the following lawful basis (key basis explained in detail in the next paragraphs) must apply before we process your personal information:

  • you have given us consent to do so;
  • contractual or legal obligations require us to do so;
  • legitimate interest of the data controller;
  • processing is necessary for the performance of a task carried out in the public interest;
  • processing is necessary to protect the vital interest of the data subject or of another natural person.

(a) Contractual Obligation

We collect certain data from you to fulfill the contract we have with you, or to enter into a contract with you. We use this data to:

  • Give you the services we agreed to in line with our terms and conditions.
  • Send you messages about your account and other services you use if you get in touch, or we need to tell you about something..
  • Exercise our rights under contracts we’ve entered into with you, like managing, collecting and recovering money you owe us.
  • Investigate and resolve complaints and other issues.

(b) Legal Duty

We have to ensure we aren’t breaking any laws by offering our banking and related services to by preventing illegal activities like money laundering, terrorism financing and fraud. To do this, we need to process your data to:

  • confirm your identity when you sign up or get in touch.
  • prevent illegal activities like money laundering, tax evasion and fraud.
  • keep records of information we hold about you in line with legal requirements.
  • adhere to banking laws and regulations (these mean we sometimes need to share customer details with regulators, tax authorities, law enforcement or other third parties).

(c) Legitimate Interest of the data controller

In some instances, we need to use the data you supply us for our legitimate interests. This means we’re using your data in a way that you might expect us to, for a reason which is in your interest and doesn't override your privacy, interests or fundamental rights and freedoms

Who do we share your information with?

Kuda will not share or disclose your personal data with a third party without your consent except as necessary to provide our services or as described in this Privacy Policy.

  • Financial and Related Services and Payment Processing. When you provide payment data, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services
  • Third Party Service providers - We share personal data with vendors or agents
  • Third Party Service providers - We share personal data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we engage to provide external services, customer service support, card delivery services, address verification services, to assist in protecting and securing our systems and services, or to perform sanctions screening and identity verification services may need access to personal data to provide those functions.  The processing by such third parties shall be governed by a written contract with Kuda to ensure adequate protection and security measures are put in place for the protection of your personal data in accordance with the terms of this Privacy Policy.
  • Related group companies and affiliates - We support and enable access to personal data across our subsidiaries, affiliates, and related companies in certain necessary circumstances, for example, where we share common data systems or where access is necessary to provide our services and operate our business.
  • Law enforcement - We may access, disclose, and preserve personal data in accordance with applicable law and when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
  • Security, safety, and protecting rights - We will disclose personal data if we believe it is necessary to:

    • protect our merchants and others, for example to prevent fraud, or to help prevent the loss of life or serious injury of anyone;
    • operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
    • protect the rights or property or ourselves or others, including enforcing our agreements, terms, and policies

In some cases, third party analytics and advertising companies also collect personal data through our website and apps including, marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this policy.  These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others.

How we protect your personal information

Kuda has set up secure adequate technical and organisational controls to protect the integrity and confidentiality of our customer’s personal data, both in digital and physical format, with the aim of preventing personal data from being compromised.  We protect our customer’s personal data using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure and alteration, we also use industry recommended security protocols to safeguard personal data we receive or access relating to our customers.

Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to our building and files and only granting access to Personal Information to only employees who require it to fulfil their job responsibilities.

In compliance with the Payment Card Industry Data Security Standards, we implement access control measures, security protocols and standards including the use of encryption and firewall technologies to ensure your card information is safe and secure in our servers, additionally, we implement periodical security updates to ensure that our security infrastructures are in compliance with reasonable industry standards.

We also maintain a data breach procedure in order to deal with incidents concerning personal data or practices leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

You may contact our DPO upon becoming aware of any breach of your personal data or if your access credentials have been compromised, to enable us to take the necessary steps towards ensuring the security of your personal data or account.  We will report any breaches that will compromise your rights and freedoms to the relevant regulatory authority within 72 hours of discovery

What are your rights?

  • You have the right to access and request the information that we have on you in our records, and you may receive the information in a structured, commonly used, machine-readable format, and also ask us to transfer it to another data controller (this is the right to the portability of data).
  • You may also ask us to delete your information on our record, restrict the way in which we use your personal information, ask that we update the personal information we hold about you or correct such personal information which you think is incorrect or incomplete, and we will grant this request as long as we’re legally allowed to.
  • You also have the right to object to us using your information for our marketing purposes or any additional services we may be offering you.
  • You may request that we restrict the processing of your data while a request or objection is being resolved, or during legal proceedings.
  • You also have the right not to be subject to decisions based solely on automated processing and request for human intervention, express your views, and contest the decision, unless it is necessary for a contract, authorized by law, or based on your explicit consent.
  • You may also withdraw any consent you’ve previously given us.

Transfer of Personal Data

As part of our service provision, we may rely on third-party servers, databases co-located with hosting providers, resident in foreign jurisdictions, which constitutes the transfer of your personal data to computers or servers in foreign countries. We take steps designed to ensure that the data we collect under this Privacy Policy is processed and protected according to the provisions of this Policy and applicable law wherever the data is located.

Where personal data is to be transferred to a country outside Nigeria, Kuda  shall ensure adequate measures are put in place to ensure the security of such personal data. Any transfer of personal data outside of Nigeria will be in accordance with the provisions of relevant data protection regulations. In particular, Kuda shall, among other things, use contractual terms to ensure protection of the data or ensure the recipient country has adequate data protection laws that would afford the same level of protection of our customer’s personal data.

Should you wish to transfer personal data to a country deemed to have inadequate data protection laws, Kuda will take all necessary steps to ensure that informed consent is obtained from you, and you are aware of the risks entailed with such transfer.  We will ensure personal data is transmitted in a safe and secure manner.  Details of the protection given when your personal data  is transferred abroad, and details of the basis of such transfers shall be provided to you upon request.

Cookies

We and our partners use cookies and similar technologies on our website and on other platforms to help collect information and operate the site.  We use cookies to: remember visitors to our websites or other platforms; make your user experience easier; customise our services, content and advertising; help you ensure that your account security is not compromised, mitigate risk and prevent fraud; and to promote trust and safety on our website. Cookies are small text files placed by a website and stored by your browser on your device.  Our cookies hold a unique random reference to you so that once you visit the site we can recognise who you are and provide certain content to you.  Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this may impact your experience using our website.

How long do we keep your data?

Kuda will retain your personal information for the following periods:

  • as long as reasonably necessary for the purpose of providing our services to you;
  • for the duration your account is active and we have your consent;
  • for the period needed to comply with our legal and statutory obligations;
  • as needed to verify your information with a financial institution

We are statutorily obliged to retain the data you provide in order to process transactions, ensure settlements, make refunds, identify fraud and to comply with applicable laws and regulatory guidelines, as applicable.

Under the Central Bank of Nigeria’s Customer Due Diligence Regulations and Guidelines we are mandated to retain transactional records (customer and beneficiary names, addresses, identification number etc) for at least five years following the completion of the transaction or the cessation of the legal relationship with a customer.  Therefore, even after closing your Kuda account, we will need to retain certain personal data and transaction data to comply with these obligations.

The length of storage of personal data shall, amongst other things, be determined by:

  • The contract terms agreed between Kuda and the customer or as long as it is needed for the purpose for which it was obtained;
  • Whether the transaction or relationship has statutory implication or a required retention period; 
  • Whether there is an express request for deletion of personal data by the customer, provided that such request will only be treated where the customer is not under any investigations which may require us to retain such data or there is no subsisting contractual arrangement with the customer that would require the continuous processing of the personal data; or
  • Whether Kuda has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose

When do we delete your data?

We are basically storing and processing your personal data only as long as it is necessary to perform our obligations under the agreement with you or as long as the law requires us to store it. That means, if the data is not required anymore for statutory or contractual obligations, your data will be deleted.

If you choose to delete your Kuda account, we will delete any data you have previously given us, including the video of your face uploaded during the liveness check. However, this is subject to the retention provisions of this policy.

How to lodge a complaint?

At Kuda, we’re extremely committed to respecting and protecting your personal information. If you have any worries, reservations or complaints about your personal information, please contact our Data Protection Officer by:

  • Sending a message via the app
  • Emailing us at dpo@kuda.com
  • Writing to us at 1-11 Commercial Avenue, Yaba, Lagos

After we receive any complaints from you, we will do our best to fix the problem.

Changes to this document

This document will be reviewed on a yearly basis, or more frequently if occasioned by changes or amendment to applicable data protection regulations. If we make any changes, we’ll add a note to this page and if there are significant changes we’ll let you know by email.

This document was last updated in May 2025.