Privacy Policy
At Enterra, we believe your privacy is foundational — not an afterthought. This Privacy Policy explains how Enterra Limited ("Enterra," "we," "our," or "us") collects, uses, shares, and protects your personal information when you use our mobile application, website (enterra.ng), and related services (collectively, the "Services"). Please read this policy carefully. By using our Services, you agree to the practices described herein.
1. Information We Collect
We collect information you provide directly, information generated through your use of our Services, and information from third-party partners necessary to deliver our financial services.
Information you provide to us:
- Account registration: Full name, email address, phone number, date of birth, nationality, and residential address.
- Identity verification (KYC): Government-issued ID (passport, national ID), Bank Verification Number (BVN) for Nigerian passport holders, selfie/biometric data, and proof of address — processed via our KYC partner.
- Payment information: Card details, bank account information, and transaction history. We do not store full card numbers; this is handled by our PCI-compliant payment processors.
- Communications: Messages, emails, or support requests you send to us.
Information collected automatically:
- Device identifiers (device ID, OS version, app version)
- IP address and approximate location
- Log data (pages visited, features used, timestamps)
- Crash reports and performance diagnostics
Information from third parties:
- Identity verification results and fraud signals from Sumsub
- Transaction processing data from Stripe, Fincra, and Sudo Africa
- Banking data from Safe Haven Microfinance Bank (our NGN settlement bank)
2. How We Use Your Information
We use your information for the following purposes:
- Providing our Services: Processing fund transfers, issuing and managing your Naira prepaid card, facilitating FX conversion, and enabling card transactions in Nigeria.
- Identity verification and compliance: Meeting CBN KYC/AML requirements.
- Fraud prevention and security.
- Customer support.
- Communications: Transactional notifications, account updates, and promotional info (with consent).
- Legal obligations: Compliance with laws, regulations, and reporting requirements.
- Product improvement: Usage analysis to improve features and fix bugs.
Legal bases (NDPR / GDPR): We process your personal data on the bases of contractual necessity (to provide the Services you requested), legal obligation (regulatory compliance), legitimate interests (fraud prevention, security), and — where required — your explicit consent.
3. How We Share Your Information
We do not sell your personal data. We share your information only as described below:
- Service providers: We share data with third-party vendors who process data on our behalf, including Sumsub (KYC), Stripe (payment processing), Fincra (FX conversion and IMTO services), Sudo Africa (card issuance), and Safe Haven MFB (NGN settlement). These partners are contractually bound to process data only as directed and to maintain appropriate security standards.
- Regulatory and legal authorities: We may disclose information to the CBN, NFIU, EFCC, or other competent authorities where required by applicable law or regulation, including AML/CFT reporting obligations.
- Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity, subject to equivalent privacy protections.
- With your consent: We may share information for any other purpose with your explicit prior consent.
4. Data Retention
We retain your personal information for as long as necessary to provide our Services and comply with our legal obligations:
- Account and transaction data is retained for a minimum of 5 years after account closure, in accordance with CBN AML/CFT regulations.
- KYC documentation is retained for 5 years following the end of the customer relationship, as required by the Money Laundering (Prevention and Prohibition) Act 2022.
- Inactive accounts may be closed after a period of inactivity, subject to applicable unclaimed funds regulations.
When retention periods expire, we securely delete or anonymize your data.
5. Data Security
We implement industry-standard technical and organizational measures to protect your personal information, including:
- TLS encryption for all data in transit
- Encryption of sensitive data at rest
- PCI-DSS compliant card data handling via our payment partners
- Role-based access controls and audit logging
- Regular security assessments and vulnerability testing
No system is entirely immune to risk. If you suspect unauthorized access to your account, contact us immediately at [email protected].
6. Your Rights and Choices
Subject to applicable law, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data, subject to legal retention obligations.
- Portability: Request your data in a structured, machine-readable format.
- Objection / Restriction: Object to certain processing activities or request that we restrict processing in specific circumstances.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. Note that some rights are subject to overriding legal obligations (e.g., regulatory data retention requirements).
Marketing communications: You may opt out of promotional emails at any time by clicking "Unsubscribe" in any marketing email or by contacting us directly. Transactional and regulatory notices are not subject to opt-out.
7. Children's Privacy
Our Services are intended solely for individuals aged 18 and above. We do not knowingly collect personal information from anyone under 18. If we become aware that a minor has provided us with personal data, we will take steps to delete it promptly. If you believe a minor has submitted information to us, please contact us at [email protected].
8. International Data Transfers
Enterra is incorporated in Delaware, USA, and operates in Nigeria. Your data may be processed in the United States, Nigeria, and other countries where our service providers operate. When we transfer personal data internationally, we ensure appropriate safeguards are in place — including contractual protections consistent with the Nigeria Data Protection Regulation (NDPR) and, where applicable, GDPR Standard Contractual Clauses.
9. Third-Party Services
Our app and website may contain links to or integrations with third-party services. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party service you use in connection with Enterra.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (to the address associated with your account) and/or by a prominent notice within the app at least 14 days before the change takes effect. Your continued use of our Services after the effective date constitutes your acceptance of the updated Policy.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy team:
- Email: [email protected]
- Website: enterra.ng
- Address: Ikoyi, Lagos, Nigeria
If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.